How to Buy a Security Company: 2026 Acquisition Playbook

Key Takeaways

• Residential alarm portfolios trade at 28x to 36x RMR; commercial monitoring at 32x to 42x RMR; integrator businesses on 4x to 7x EBITDA
• Attrition above 12 percent annually cuts multiples by 15 to 25 percent; verify the trailing 24-month customer cancellation log line by line
• State alarm licensing transfers vary widely: California ACO, Texas DPS, and Florida Division of Licensing each have different change-of-control rules
• UL-listed central stations and Five Diamond designation from The Monitoring Association command premium multiples versus contract monitoring
• SBA 7(a) financing works for deals under 5 million if the seller stays through the licensing transition; above that, structure with senior debt plus seller note
• Cyber-physical convergence (access control, cloud video, managed network services) is reshaping integrator valuations upward by 10 to 20 percent

What kind of security company are you actually buying?

The phrase security company covers four distinct businesses that trade on different multiples and require different acquisition playbooks. Confusing them is the most common mistake new buyers make.

Residential alarm dealers sell, install, and monitor burglar and fire systems for homeowners. Revenue is heavily weighted toward recurring monthly revenue from monitoring contracts, typically 35 to 65 dollars per door per month. National players like ADT and Vivint dominate, but local dealers control roughly 60 percent of the installed base according to The Monitoring Association.

Commercial monitoring companies operate UL-listed central stations that receive alarm signals from third-party dealers. Their economics are pure recurring revenue with high gross margins (often 55 to 65 percent at scale). Five Diamond designated stations from The Monitoring Association command the highest valuations.

Commercial integrators design and install access control, video surveillance, intrusion, and fire systems for offices, schools, hospitals, and industrial facilities. They run project-heavy with 60 to 75 percent of revenue from one-time installations and 25 to 40 percent from service contracts. The PSA Security Network is the largest cooperative of independent integrators in North America.

Managed security service providers (MSSPs) handle cybersecurity monitoring, often paired with physical security through cyber-physical convergence strategies. These trade at SaaS-like multiples (3x to 6x annual recurring revenue) rather than RMR multiples.

Before writing a letter of intent, force the seller to bucket every revenue dollar into one of these four categories. The mix determines which valuation framework applies.

Why the distinction matters for valuation

An RMR-heavy alarm dealer at 32x monthly recurring revenue and an integrator at 5x EBITDA can look superficially similar on top-line revenue but trade for completely different absolute prices. A 50,000 dollar RMR alarm dealer with 600,000 in annual revenue might sell for 1.6 million, while an integrator with the same 600,000 revenue might sell for 350,000 to 600,000 depending on margin and contract mix.

Mixed-revenue businesses need segment-level multiples

Most independent security companies blend at least two of these models. The correct approach is to value each segment separately: apply an RMR multiple to monitoring revenue, an EBITDA multiple to integration project revenue, and a service-contract multiple to maintenance income. Then sum the segments. This is how strategic acquirers like Allied Universal, Securitas Technology, and Convergint structure their offer letters.

How RMR multiples actually work

Recurring monthly revenue is the dominant valuation metric for alarm and monitoring acquisitions. Understanding the math behind RMR multiples separates buyers who pay too much from buyers who close at fair value.

The RMR multiple expresses how much the buyer pays for one dollar of monthly recurring revenue. A 32x multiple means you pay 32 dollars today for every 1 dollar of contracted monthly revenue. On a portfolio with 50,000 dollars in RMR, that produces a 1.6 million dollar enterprise value before working capital adjustments.

Multiple ranges in 2026 (based on Acquisition.com transaction database, Barnes Buchanan dealer survey, and IBBA Market Pulse):

Residential alarm portfolios: 26x to 36x RMR. Top of range requires attrition below 10 percent, average contract age above 30 months, and credit-scored customer base.

Commercial alarm and access control: 32x to 42x RMR. Commercial customers have higher stick rates (10 to 14 year average tenure) and bundled service revenue.

Central station monitoring (UL-listed, Five Diamond): 36x to 50x RMR. Pure recurring revenue with operating leverage justifies the premium.

Medical alert and PERS: 18x to 24x RMR. Higher attrition (often 25 to 35 percent annually) suppresses multiples.

Fire-only monitoring with annual inspections: 36x to 48x RMR. Sticky contracts, NFPA-mandated inspections, and lower price sensitivity.

Attrition is the single biggest multiple driver. Every 1 percent increase in annual attrition above 10 percent typically reduces the multiple by 0.5 to 0.8 turns. A portfolio at 15 percent attrition will price 2 to 4 turns below the same portfolio at 8 percent.

Trailing 24-month attrition is the only honest measure

Sellers love to quote ‘gross adds and losses’ over a flattering period. Demand the trailing 24 months of customer-level cancellation data with reason codes (non-pay, moved, deceased, competitor, service complaint). Calculate net attrition as cancellations divided by average installed base. Anything claimed below what this calculation shows is a red flag.

Contract age and credit quality move multiples

Newer contracts (under 12 months) carry higher cancellation risk. Older contracts (60+ months) often have no remaining commitment and convert to month-to-month at customer option. The sweet spot for valuation is a portfolio where the median contract is 24 to 48 months old. Pulling a sample of 50 to 100 contracts and verifying ACH or auto-payment penetration above 75 percent supports the higher end of the multiple range.

Licensing and regulatory transfer requirements

State alarm licensing is where deals fall apart. Every state has its own licensing regime, and change-of-control rules differ substantially. Verify licensing before signing a letter of intent, because retroactive cure is often impossible.

California: The Alarm Company Operator (ACO) license from the Bureau of Security and Investigative Services requires a qualified manager with at least two years of relevant experience. Stock sales do not require relicensing if the qualified manager stays. Asset sales require a new ACO application, which takes 90 to 150 days.

Texas: Texas Department of Public Safety Private Security Bureau issues Class B (alarm) and Class A (access control) licenses. Change of control triggers a new license application if more than 25 percent ownership transfers. Manager-in-charge must hold a valid security license.

Florida: Division of Licensing under the Department of Agriculture and Consumer Services issues EC (Class B) licenses. Burglar alarm system contractors require a state-certified contractor or a registered contractor in the buyer entity.

New York: Department of State licenses alarm installers separately from monitoring operations. New York City has additional FDNY S-95 certifications for fire alarm work.

Illinois: PERC card licensing under the Department of Financial and Professional Regulation. Both the company and individual installers need separate credentials.

Federal layer: UL listings (UL 827 for central stations, UL 681 for installation), FCC Part 68 for telecom interface, and NFPA 72 compliance for fire monitoring all transfer with the entity in stock deals but require reapplication in asset deals.

The practical answer for most acquisitions: structure as a stock purchase if the entity has clean licensing, or build a 120-day licensing transition into the closing conditions if you must do an asset purchase. Either way, the seller’s qualified manager should sign an employment agreement that runs through the transition.

NFPA 72 compliance and AHJ relationships

Fire alarm work is governed by NFPA 72 (National Fire Alarm and Signaling Code) and enforced by the local Authority Having Jurisdiction (AHJ). Strong AHJ relationships are an unrecorded asset that travels with the qualifier. During due diligence, request a list of every AHJ the company files permits with, and verify there are no open violations or permit holds.

Customer-side approvals you cannot ignore

Commercial monitoring contracts with insurers (FM Global, Allianz, Zurich), federal customers (GSA contracts, DOD facilities), and large healthcare systems often include change-of-control consent requirements. Pull the top 20 commercial contracts and check assignment clauses before signing the LOI.

Due diligence checklist for security company acquisitions

Security company due diligence is heavier than typical small-business diligence because the recurring revenue stream depends on verifiable contracts, working monitoring infrastructure, and transferable licenses. A 60 to 90 day diligence window is normal.

Financial diligence:

• Trailing 36 months of RMR build (gross adds, attrition, net RMR by month)
• Customer-level revenue file with contract start date, monthly rate, payment method, and contract type
• AR aging with reason codes for accounts over 60 days past due
• Quality of earnings analysis from a security-industry-experienced firm (Barnes Buchanan, Imperial Capital, Davis Mergers and Acquisitions)
• Inventory valuation including subscriber-owned equipment versus dealer-owned equipment
• True-up adjustment for prepaid service contracts and unearned monitoring revenue

Operational diligence:

• Central station signal volume and false alarm rates by zip code
• Average response time on monitored alarms (industry benchmark: 30 seconds to first action)
• Technician dispatch records, average truck rolls per month, and rolling 12-month service complaint log
• Vehicle fleet condition, age, and any leased versus owned equipment
• IT systems audit: monitoring automation software (Stages, MASterMind, Manitou, Bold), CRM, and accounting system

Legal and contractual:

• All customer agreements pulled and assignability reviewed
• Vendor agreements with hardware suppliers (Honeywell, DSC, Bosch, Hikvision, Axis, Avigilon)
• Wholesale monitoring agreements if the company uses a third-party central station (Rapid Response, Affiliated Monitoring, COPS, Securitas Critical Infrastructure)
• Employment agreements, non-competes, and qualifier agreements
• Outstanding litigation with focus on false alarm fines, employment claims, and contract disputes

For a complete walkthrough of the broader process, see the business acquisition due diligence process and the business sale due diligence checklist for the seller-side view.

Customer-by-customer audit for portfolios under 2,000 accounts

On smaller portfolios, sample 100 percent of monitored accounts and verify each is active, billed, and signaling. Larger portfolios require statistical sampling (typically 250 accounts) with 95 percent confidence intervals. Discrepancies above 3 percent of contracted RMR justify a purchase price reduction.

Cybersecurity due diligence for connected systems

Modern alarm and access control systems are IP-connected. Verify the company has documented vulnerability management for installed cloud video and access control platforms, especially anything running outdated firmware. The best cybersecurity due diligence firms for M&A handle this scope for transactions above 10 million.

Deal structure: stock versus asset, financing options

Security company acquisitions structure as stock purchases more often than typical small-business deals. The driver is license portability: a stock deal usually keeps state alarm licenses, UL listings, central station numbers, and account references intact.

Stock purchase advantages:

• Licenses, permits, and AHJ filings transfer automatically
• Existing customer contracts continue without reassignment notices
• Central station receiver lines, dealer numbers, and CSAA member status preserved
• Employees continue under existing payroll and benefits without W-4 resets

Stock purchase disadvantages:

• Buyer inherits all historical liabilities (false alarm fines, employee claims, contract disputes)
• Step-up in tax basis requires an IRC 338(h)(10) election, which the seller may not accept
• Successor liability for unrecorded environmental, employment, or product liability claims

Asset purchase advantages:

• Buyer selects assets and explicitly excludes unwanted liabilities
• Step-up in tax basis automatically (depreciation and amortization benefits)
• Cleaner audit trail for future financing or exit

Asset purchase disadvantages:

• License reapplication (typically 90 to 150 days per state)
• Customer contract reassignment notices (can trigger cancellations)
• Vendor reassignment for wholesale monitoring, IT systems, and credit card processing

Financing options in 2026:

SBA 7(a) loans work well for security company deals under 5 million enterprise value. SBA-preferred lenders for the security industry include Live Oak Bank, ReadyCap Lending, and Newtek. Standard terms are 10-year amortization on goodwill and 25-year on real estate. Seller must remain available for transition (typically 60 to 120 days) and seller note must be on full standby for at least 24 months. See can an SBA loan be used to buy a business for the qualification framework.

Senior debt plus seller note is the standard structure for deals 5 to 25 million. Capstar Bank, KeyBank, and Pinnacle Bank actively lend to the security industry. Typical capital stack: 50 to 60 percent senior debt at SOFR plus 350 to 500 basis points, 15 to 25 percent seller note at 6 to 8 percent fixed, balance in buyer equity.

Private equity-backed buyouts dominate deals above 25 million. Strategic buyers (ADT, Brinks Home, Vector Security, Allied Universal) and PE-backed platforms (Pye-Barker Fire and Safety, Cooper Equipment, Acre Security) bid on these. Letter of intent multiples reach 9x to 12x EBITDA for platform acquisitions.

Earnouts tied to RMR retention are common in security deals. Typical structure: 70 to 80 percent of purchase price at close, 20 to 30 percent contingent on RMR retention at the 12-month anniversary. A 92 percent retention threshold is the industry standard.

Why seller financing helps every party

Seller notes provide three benefits in security acquisitions: they bridge valuation gaps, satisfy SBA seller-standby requirements, and keep the seller financially aligned with RMR retention. Typical seller note terms: 10 to 20 percent of purchase price, 5-year amortization, 6 to 8 percent interest, full standby for 24 months.

Earnouts work but require clean RMR tracking

Earnouts tied to RMR retention only work if both parties trust the post-close RMR ledger. Build the earnout calculation into a third-party administrator (typically the company’s accounting firm) and lock the methodology in the purchase agreement schedule.

Valuation walkthrough on a realistic deal

Consider a regional alarm dealer in Phoenix with the following profile (anonymized from a 2025 transaction):

• 2,800 monitored accounts
• 58 dollars average RMR per account
• 162,400 dollars total RMR
• 1.95 million annual revenue (1.95 million monitoring, 380,000 installation, 240,000 service)
• Trailing 12-month attrition: 9.2 percent (industry median: 11 percent)
• Average contract age: 38 months
• 82 percent of customers on ACH or credit card auto-pay
• 12-employee workforce including 4 licensed installers
• Owner active in operations 40 hours per week

Valuation framework:

Monitoring RMR multiple: 32x to 36x based on attrition and contract age. Apply 34x as the midpoint. 162,400 x 34 = 5.52 million for the monitoring portfolio.

Installation business: 380,000 annual revenue at 18 percent EBITDA margin = 68,400 EBITDA. Apply 3.5x to 4.5x (project-heavy work commands lower multiples). Midpoint 4x produces 274,000.

Service and maintenance: 240,000 revenue at 32 percent EBITDA margin = 76,800 EBITDA. Apply 4x to 5x for sticky service contracts. Midpoint 4.5x produces 346,000.

Total enterprise value: 5.52 million plus 274,000 plus 346,000 = 6.14 million.

Adjustments:

• Working capital target: 8 percent of revenue = 156,000
• Owner replacement cost: subtract 95,000 from operating income (general manager hire)
• Deferred maintenance on monitoring infrastructure: 75,000 reduction

Adjusted enterprise value: roughly 5.95 million.

This is consistent with Barnes Buchanan multiples for a portfolio of this size and quality. A buyer at 5.95 million with 50 percent senior debt, 20 percent seller note, and 30 percent equity needs to retain at least 92 percent of RMR through year one to hit a 22 percent equity IRR over five years.

Why size matters: portfolio scaling effects

Multiples scale with portfolio size. A 20,000 dollar RMR portfolio sells at 26x to 30x because economies of scale are limited and the buyer pool is smaller (other small dealers). A 500,000 dollar RMR portfolio sells at 38x to 44x because PE-backed platforms can bid for it. Above 1.5 million RMR, strategic acquirers enter the bidding.

Geographic concentration risk

Portfolios concentrated in a single metro carry concentration risk but also operating efficiency. Underwriters discount multi-state, single-license-state portfolios more heavily because of operational complexity. The 5.95 million Phoenix example is a single-metro deal, which is why it prices at the higher end of regional multiples.

Cyber-physical convergence and where the puck is going

The security industry is consolidating around cyber-physical convergence: integrated physical security (cameras, access control, intrusion) and cybersecurity services delivered through a single managed services platform. This shift is reshaping acquisition multiples and shaping which targets command strategic interest in 2026.

The drivers:

Cloud-based video surveillance (Verkada, Eagle Eye Networks, Rhombus) is replacing on-premise DVR and NVR systems. Recurring SaaS revenue per camera is reshaping integrator economics from one-time install plus maintenance to true ARR models.

Access control as a service (Brivo, Openpath, Genea) is converting one-time door installation revenue into per-door monthly subscriptions.

Managed detection and response (MDR) services are being bundled with physical security monitoring. Arctic Wolf, eSentire, and Expel are buying or partnering with traditional security integrators to expand physical-plus-cyber offerings.

What this means for acquisition buyers:

Integrators with 30 percent or more of revenue in cloud video or access-control-as-a-service trade at 6x to 9x EBITDA versus 4x to 6x for traditional project-heavy integrators.

Monitoring centers that offer cyber alerting (network intrusion alarms, IoT device anomaly detection) command 10 to 15 percent multiple premiums.

MSSPs with both physical and cyber offerings are the highest-multiple security companies in the market, trading at 4x to 8x annual recurring revenue (SaaS-equivalent multiples).

If the target is a traditional alarm dealer with no cloud strategy, factor in a post-close transformation cost (typically 8 to 15 percent of revenue over 24 months) to migrate the portfolio to cloud video and access control. This is a real cost that should reduce the offered multiple.

Strategic buyer landscape in 2026

The biggest active acquirers are Pye-Barker Fire and Safety (life safety roll-up), Cooper Equipment (mechanical and security), Convergint (commercial integration), Securitas Technology (formerly STANLEY Security), and Allied Universal. PE-backed platforms include Acre Security (Halma plc), Honeywell Building Solutions, and Stanley Convergent. Knowing who would compete for the same target shapes deal structure and negotiating posture.

When to walk away from a target

Walk away if attrition trends above 14 percent annually, if the qualifier refuses to sign a transition agreement, if more than 25 percent of revenue is concentrated in one customer, if the central station is non-UL listed for commercial fire customers, or if AHJ relationships are tied to a single individual leaving at close. Each is a structural problem that no purchase price adjustment can solve.

Letter of intent and closing timeline

A clean security company acquisition runs roughly 120 to 180 days from LOI to close. Compressed timelines (under 90 days) usually mean either licensing problems are getting pushed past close or the buyer is skipping serious diligence.

Week 1-2: Letter of intent drafted with valuation framework, exclusivity (typically 60 days), and outline of working capital target. Use a standard commercial LOI structure with binding exclusivity, confidentiality, and expense provisions, plus non-binding price, structure, and conditions.

Week 3-8: Financial, operational, and legal due diligence run in parallel. Quality of earnings firm engaged. Customer audit sample completed. Licensing review with industry counsel (Bochiver, Eitelberg, Fisher Phillips, or a state-specific security attorney).

Week 9-12: Purchase agreement drafted and negotiated. Schedules drafted (customer list, employee list, contracts list, IT assets). Financing locked with SBA preferred lender, senior bank, or PE sponsor. Insurance applications filed (representations and warranties insurance for deals above 10 million, errors and omissions, commercial general liability, professional liability).

Week 13-16: Final working capital true-up, employment agreements with key technicians, qualifier transition agreement, and AHJ notification letters drafted. Bring-down due diligence in the week before close.

Week 17-26: Closing, license transfers begin, customer notification letters mailed, vendor reassignments processed. Earnout tracking begins on Day 1.

The transition period (typically 90 to 120 days after close) is where most deal value is created or lost. Customer-facing communication, technician retention, and AHJ continuity all happen during this window.

For more detail on the LOI mechanics, the commercial LOI template explained walks through every required provision.

Post-close 100-day plan

Days 1 to 30: Customer continuity calls to top 50 commercial accounts. Technician one-on-ones with all field staff. Central station signal verification on a sample of accounts. AHJ courtesy visits in the top three jurisdictions.

Days 31 to 60: System audits on the largest 100 customer accounts. Inventory true-up. First payroll run on the new ownership entity. Insurance certificates updated.

Days 61 to 100: First quarterly RMR report against earnout target. Cross-sell campaign launched if there is a cloud video or access control upsell opportunity. Annual customer satisfaction survey commissioned.

When to walk back to the seller

Material adverse changes discovered during diligence (customer concentration, hidden litigation, missing licenses) justify price reductions of 5 to 15 percent. Anything larger should trigger a walk-away conversation, not just a re-trade. Most experienced sellers will accept a reasoned price reduction if it is documented with diligence findings.

Frequently Asked Questions

What is a typical RMR multiple for a security company in 2026?

Residential alarm portfolios trade at 26x to 36x RMR, commercial alarm at 32x to 42x, UL-listed central station monitoring at 36x to 50x, and medical alert at 18x to 24x. Position within the range depends primarily on attrition rate and contract age. A portfolio with sub-10 percent annual attrition and average contract age above 30 months earns the top of the range.

Can I buy a security company with an SBA loan?

Yes for deals under 5 million enterprise value. SBA 7(a) is the most common path. Live Oak Bank, ReadyCap, and Newtek are the most active SBA lenders for the security industry. The seller must remain available for transition (60 to 120 days) and any seller note must be on full standby for at least 24 months.

Do security company licenses transfer automatically when I buy the business?

In a stock purchase, state alarm licenses generally stay with the entity if the qualifier remains. In an asset purchase, the buyer must reapply, which takes 90 to 150 days depending on the state. Always verify with the issuing authority before signing the LOI.

What is the most important due diligence item when buying a security company?

Trailing 24-month customer-level attrition data with cancellation reason codes. RMR multiples assume an attrition assumption, and overstating customer stickiness is the most common seller misrepresentation. Demand the full customer ledger, not a summarized retention report.

How long does a security company acquisition take to close?

Roughly 120 to 180 days from LOI to close. Anything faster usually means licensing problems are being deferred or due diligence is being skipped. Add 90 to 120 days post-close for license transfer and customer notification before considering the integration complete.

Should I structure the deal as a stock or asset purchase?

Stock purchases are more common in security deals because they preserve licenses, customer contracts, UL listings, and central station numbers. Asset purchases work when the buyer wants to exclude specific liabilities or already has its own licensing infrastructure in a state.

What attrition rate is considered healthy for an alarm portfolio?

Industry median is 11 percent annual attrition. Anything below 9 percent is considered top quartile and supports premium multiples. Above 14 percent annual attrition signals problems with customer satisfaction, billing, or service quality that will compound after closing.

What is the difference between a UL-listed central station and a contract monitoring center?

UL-listed central stations meet UL 827 standards for facility, redundancy, and operator training, which insurers require for commercial fire monitoring. Contract monitoring centers handle residential and non-fire commercial accounts at lower cost. UL-listed operations command higher acquisition multiples because of the regulatory moat.

Are earnouts common in security company acquisitions?

Yes. Typical structure is 70 to 80 percent of purchase price at close, with 20 to 30 percent contingent on RMR retention at the 12-month anniversary. A 92 percent retention threshold is standard. Earnouts work well in security deals because RMR is measurable and easily verified.

What is cyber-physical convergence and does it affect valuation?

Cyber-physical convergence combines physical security (cameras, access control, alarms) with cybersecurity services through cloud platforms. Integrators with 30 percent or more of revenue from cloud video, access control as a service, or managed detection and response trade at 6x to 9x EBITDA versus 4x to 6x for traditional project-heavy integrators.