Cybersecurity in 2025: Where Stability Meets Strategic Scale

While generative AI and quantum computing dominate headlines, one sector quietly continues to grow with precision, predictability, and purpose: cybersecurity.

In a world of flashy frontier tech, cybersecurity stands apart. Not because it’s immune to hype, but because it doesn’t need it. It’s driven not by trends, but by necessity. From boardrooms to battlefield simulations, cyber resilience is no longer a line item - it’s the foundation of trust in the digital age.

‍

The Infrastructure of Digital Trust

Cybersecurity forms the backbone of trust in the digital economy, making it an essential investment area supported by several strong fundamentals:

‍

Foundation of the digital economy

Cybersecurity has become the bedrock of digital business and government operations – the backbone of trust enabling everything from online banking to smart power grids. It’s now recognized at the highest levels: almost every corporate board member lists cybersecurity as a top agenda item.

Governments are also codifying it as critical infrastructure (for example, the EU’s NIS2 law mandates strict cyber defenses for essential sectors like energy and healthcare underlining that robust security is fundamental to modern society.

‍

Region	2023 Size	2030 Forecast	CAGR
North America	$71.4B	$125.2B	8.3%
Europe	$32.6B	$69.7B	11.1%
Asia-Pacific	$22.4B	$56.3B	14.2%
MENA	$5.1B	$12.3B	13.1%
Latin America	$3.4B	$7.5B	11.5%

Source: Luminova Ventures, Cybersecurity report 2025

‍

Non-discretionary spending

Cyber defense is widely viewed as a “must-have” budget item rather than an optional expense. Even when IT spending is under pressure, security is rarely cut, because the cost of a breach far outweighs short-term savings. In fact, security’s share of overall IT budgets has surged from 8.6% in 2020 to 13.2% in 2024. As one industry report observes, cybersecurity is now “normalized as a cost of doing business,” with organizations feeling compelled to maintain or increase these investments. It is expected in good business that cyber security is of high standard nowadays.

‍

Regulatory tailwinds

A wave of new regulations is reinforcing the need for cybersecurity across industries. In 2024, major economies including the EU and US enacted sweeping cyber rules to bolster resilience.

‍

For example, the EU’s NIS2 Directive now obliges critical infrastructure operators to implement rigorous security measures and report cyber incidents within 24 hours (with heavy fines for non-compliance). In the U.S., the SEC adopted rules requiring public companies to disclose material breaches within four business days.

‍

Business leaders are largely in favor of such mandates – 60% of executives believe stronger cyber and privacy regulations reduce risk, up from just 21% two years prior. These regulatory tailwinds effectively guarantee a baseline of cybersecurity spending as companies strive to meet compliance standards.

‍

“Cybersecurity regulation in the United States has developed through a sector-specific, enforcement-driven model emphasizing national security and public-private collaboration, whereas the European Union has pursued a unified, rights-based framework centered on data protection and regulatory harmonization.”
— Jan Balatka, Founding Partner at Luminova Ventures

‍

Other regions are following suit. Singapore has introduced mandatory OT cybersecurity rules for its energy and water sectors. Japan is requiring PQC-readiness assessments for telecoms. Saudi Arabia is enforcing 72-hour breach disclosures. These aren’t one-offs — they’re signals of a coordinated, global regulatory escalation.

‍

Major Regulatory Frameworks by Region

‍

US

Regulation	Year	Focus
FISMA (Federal Information Security Management Act)	2002	Federal agency cybersecurity risk management
HIPAA Security Rule	2003	Protection of healthcare data
GLBA (Gramm–Leach–Bliley Act)	1999	Financial institutions’ data protection
CISA (Cybersecurity Information Sharing Act)	2015	Public–private cyber threat information sharing
NIST Cybersecurity Framework	2014	Voluntary risk management framework
SEC Cybersecurity Rules	2023	Breach disclosure requirements for public companies

‍

EU
‍

Regulation	Year	Focus
GDPR (General Data Protection Regulation)	2016 (in force 2018)	Data protection and breach notification.
NIS Directive (NIS1)	2016	Critical infrastructure cybersecurity.
NIS2 Directive	2023 (enforced by 2024)	Broader scope, stricter obligations, incident reporting.
Cybersecurity Act	2019	EU-wide cybersecurity certification schemes.
EU Cyber Resilience Act (Pending)	2025 (expected)	Mandatory cybersecurity requirements for digital products and software.

‍

Regulation	Year	Focus
UK GDPR	2021 (post-Brexit)	Mirroring EU GDPR with UK-specific changes.
NIS Regulations (UK-specific version)	2018	Aligned with NIS1, managed by NCSC and Ofcom.
Telecoms Security Act	2021	Strengthening UK telecom infrastructure security.

‍

China

Regulation	Year	Focus
Cybersecurity Law (CSL)	2017	Critical information infrastructure, data localization.
Data Security Law (DSL)	2021	National security and cross-border data transfers.
Personal Information Protection Law (PIPL)	2021	GDPR-like law on personal data protection.

‍

Japan

Regulation	Year	Focus
APPI (Act on the Protection of Personal Information)	Revised 2020/2022	Personal data protection, breach notification.
Basic Act on Cybersecurity	2014	National cybersecurity strategy.

‍

South Korea

Regulation	Year	Focus
PIPA (Personal Information Protection Act)	2011 (updated multiple times)	Comprehensive privacy and data security law.
Network Act	2001	Security of telecom and internet service providers.

‍

India
‍

Regulation	Year	Focus
Information Technology Act (IT Act)	2000	Governs cybercrime and electronic commerce.
Digital Personal Data Protection Act (DPDP)	2023	India’s comprehensive data protection law (GDPR-inspired).

‍

Canada

Regulation	Year	Focus
PIPEDA (Personal Information Protection and Electronic Documents Act)	2000	Private-sector data protection and breach notification.
Bill C-26 / Critical Cyber Systems Protection Act (proposed)	Ongoing	Enhancing security in key sectors like telecom, finance, energy.

‍

Australia

Regulation	Year	Focus
Privacy Act 1988 (with Notifiable Data Breaches Scheme)	2018 (amendment)	Mandatory data breach notification.
Security of Critical Infrastructure Act (SoCI)	2018 (revised in 2021)	Cybersecurity for national infrastructure.

‍

Stable, resilient growth

The cybersecurity market has demonstrated steady growth for years, largely independent of economic cycles. Organizations worldwide spent about $150 billion on cybersecurity in 2021, with annual spending growing ~12.4% and that pace is, if anything, accelerating. Global security expenditures are on track to reach $212 billion in 2025 (a 15% jump from 2024).

‍

Analysts project the industry will roughly double from ~$200 billion today to over $500 billion by 2030, sustaining a ~13–15% CAGR. This consistent expansion is fueled by unabating threat levels and underinvestment gaps, meaning demand remains high even during downturns. For investors, such reliable growth – underpinned by necessity – makes cybersecurity akin to a “growth utility” in the tech sector, combining defensive resilience with long-term upside.

‍

“Cybersecurity isn’t a discretionary IT expense – it’s the backbone of digital trust in every industry. Even in a downturn, businesses and also governments can’t afford to cut back on security, and that’s exactly why this sector continues to expand year after year.” — Pavel Heczko, General Partner at Luminova Ventures

‍

Sector	2023 Market Size	2030 Market Size (Est.)	CAGR
Cybersecurity	$220B	$425B	~13.6%
Artificial Intelligence	$250B	$1.8T	~36%
Cloud Computing	$700B	$2.0T	~22%
Quantum Computing	$1.2B	$12.5B (2032)	~35%
Blockchain / Web3	$31B	$1.43T	~80–90%
Biotech	$2.1T	$3.9T	~14%
Renewables / CleanTech	$1.3T	$2.03T	~9.6%

Source: Luminova Ventures, Cybersecurity report 2025

‍

The Great Consolidation Is Underway

If cybersecurity is the infrastructure of the digital economy, then today’s investment landscape is best described as a construction site: fragmented, congested, and under active consolidation.

The sector experienced a sharp inflection point in 2021, when venture capital investment peaked at over $21 billion globally. This surge was driven by pandemic-era digital acceleration, remote work security needs, and speculative enthusiasm around cloud and identity platforms. But the sugar high didn’t last. By 2023, VC funding had contracted to $8.1 billion, marking a return to fundamentals amid rising interest rates and tighter liquidity.

Yet rather than a downturn, this recalibration has set the stage for strategic consolidation.

From Point Solutions to Full-Stack Platforms

Firms like Thoma Bravo, Vista Equity, and Francisco Partners have taken a page from the playbook of early SaaS rollups—buying category leaders in IAM (Identity & Access Management), SIEM (Security Information and Event Management), and DevSecOps, then combining them into integrated, full-stack platforms.

Take Thoma Bravo’s strategy: it acquired Ping Identity, ForgeRock, and SailPoint—three of the most recognized identity vendors—and is now merging them into a unified IAM ecosystem. This isn’t just cost synergy. It reflects a deeper market truth: enterprise buyers are fatigued. They’re done juggling 50 cybersecurity tools from 30 vendors. What they want now is platform convergence – fewer tools, broader coverage, and tighter integrations.

Cisco’s $28 billion acquisition of Splunk in 2023 is another milestone. It signals a shift in how cybersecurity value is captured—not through niche perimeter defenses, but through real-time analytics and observability. With this move, Cisco positions itself for the Extended Detection and Response (XDR) era, where security operations are increasingly autonomous and AI-augmented.

‍

“Cyber is evolving from a patchwork of tools into ecosystems with strategic control points. Investors who understand this consolidation wave will find opportunities not just in emerging tech, but in integration layers.”
— Pavel Heczko, General Partner at Luminova Ventures

Who’s Buying — and Why

Major strategic acquirers are no longer experimenting. They are executing.

Google’s $5.4B acquisition of Mandiant brought elite threat intelligence into the Google Cloud security stack.
Microsoft, which already owns a top-three share of the global cybersecurity market, has been acquiring niche cloud, identity, and OT security companies to expand its vertical depth.
Broadcom, after buying Symantec’s enterprise business and VMware, is building a full enterprise security suite.

These aren’t just defensive plays. They’re about capturing high-margin security workloads as enterprises migrate from on-premise to cloud-native security architectures.

‍

What’s Next? Invest Where Integration Is Hard

As consolidation accelerates, investors need to look beyond first-order acquisitions. The most compelling opportunities now lie where integration remains difficult, ecosystems are fragmented, and vendor lock-in creates lasting defensibility.
‍

Key areas include:
‍

AI-native security platforms

Companies like Vectra AI and HiddenLayer are pioneering autonomous detection and governance capabilities for large language models (LLMs) and AI systems.

The AI security market is projected to reach $60 billion by 2030, growing at a CAGR of 22%.
Vectra AI has raised $352 million, signaling strong investor appetite for next-generation, AI-native security platforms.

▪️Our take:
We’ve backed companies like DeepKeep and CitrusX, which are redefining how AI systems are protected, governed, and made resilient. We are also closely tracking emerging players innovating in autonomous detection, risk modeling, and AI firewalling, where we see opportunities for category leadership.

‍

OT and industrial cyber

Firms such as Dragos and Nozomi Networks safeguard power grids, factories, and pipelines, where attack surfaces are expanding, but defenses often remain outdated.

The OT cybersecurity market is forecasted to reach $34 billion by 2030, driven by accelerating digitalization and increasing regulatory pressures on critical infrastructure.
Dragos recently raised $200 million at a $1.7 billion valuation, reflecting the urgency and investor confidence in this segment.

▪️Our take:
We are actively evaluating several outstanding startups addressing the protection of grids, pipelines, and factories. We will disclose names once investments are finalized.

‍

Post-quantum cryptography

Early movers like PQShield and SandboxAQ are enabling telcos, financial institutions, and defense players to prepare for quantum-era threats.

The post-quantum cryptography market is expected to grow to $10 billion by 2030, fueled by mandates like NIST’s quantum-safe standards and the rising awareness of "harvest now, decrypt later" risks.
SandboxAQ, spun out from Alphabet, has raised over $500 million, backed by strategic investors and leading defense primes.

‍

▪️Our take:
We’ve invested in CyberRidge, a company with breakthrough technology that protects data in transit using photonic encryption, transforming information into optical noise—making it invisible and tamper-proof. This quantum-safe solution delivers unmatched security for critical sectors such as finance and defense. With escalating cyber threats, we believe CyberRidge is uniquely positioned to lead the future of secure communications.

‍

For Luminova Ventures, the thesis is clear: the next wave of value won’t come from building yet another firewall—it will come from solving the complexity that cyber buyers now face. Integration, interoperability, and intelligence will define the winners of the 2025–2030 cycle.

Why We Watch Cybersecurity Closely at Luminova Ventures

At Luminova Ventures, we believe that frontier technology is only as valuable as it is secure. Whether it’s AI agents coordinating logistics, quantum processors running simulations, or drones surveying critical infrastructure — the thread that binds them all is trust. And trust is a function of security.

That’s why cybersecurity is not a secondary theme in our investment strategy. It is a foundational pillar — not just a sector, but a lens through which we evaluate digital infrastructure, dual-use innovation, and sovereign technology resilience.

We pay close attention to areas where technical complexity meets market urgency:

Identity and Access Management (IAM) – the cornerstone of zero-trust architectures and a leading target for M&A platforms.
Operational Technology (OT) Security – protecting the physical backbone of energy, manufacturing, and telecom.
Post-Quantum Cryptography (PQC) – today a niche, tomorrow a mandate.
Managed Detection & Response (MDR) – cybersecurity-as-a-service models scaling into mid-market and global organizations.
AI-native security – platforms that embed LLMs and other AI/ML methods into real-time detection and defense automation.

‍

These aren’t just promising verticals. They are categories where customer urgency is high, pricing power is defensible, and exit scenarios are increasingly well-defined — especially with hyperscalers, platform consolidators, and defense-focused funds actively buying.

‍

“Our approach is simple: we back teams building essential systems for an uncertain world. Cybersecurity is no longer just about preventing attacks — it’s about enabling everything else to happen safely.”
— Diana R. Rogerová, General Partner at Luminova Ventures

‍