$102 Billion in Cybersecurity M&A Is Breaking Your AEs, and the Data Proves It
Cybersecurity account executives are being asked to sell more complex product portfolios than ever before, while the data shows most of them were already struggling to hit quota. The 2025 M&A wave didn't create this problem, but it accelerated it to a breaking point.
How big was cybersecurity M&A in 2025?
Cybersecurity mergers and acquisitions hit a record $102 billion in disclosed deal value across 398 transactions in 2025, according to Momentum Cyber's 2026 Almanac. That represents a 294% year-over-year increase in deal value and a 21% rise in deal volume. The second quarter of 2025 set the all-time record for transaction count at 109 deals, while the third quarter set a new record for deal value at $44.2 billion.
The headline transactions reshaped the competitive landscape overnight:
- Google acquired Wiz for $32 billion in an all-cash deal, cleared by the DOJ in November 2025
- Palo Alto Networks acquired CyberArk for $25 billion, marking its formal entry into identity security
- Palo Alto Networks acquired Chronosphere for $3.35 billion, adding observability to its platform
- ServiceNow signed a $7.75 billion agreement for Armis, extending into asset discovery and OT security
- ServiceNow is reportedly acquiring Veza for $1 billion, strengthening identity and access controls
- Francisco Partners took Jamf private for $2.2 billion
On the financing side, Momentum Cyber recorded 734 funding rounds totaling $18 billion (up 37% year over year), with 57 rounds exceeding $50 million. AI security overtook risk and compliance as the most heavily funded category. SaaS companies accounted for roughly 60% of total M&A volume and 96% of total capital deployed.
Sources: Momentum Cyber 2026 Almanac (via SiliconANGLE, January 2026); SecurityWeek, December 2025; Ropes & Gray U.S. Cybersecurity Sector Report Q3 2025.
What does cybersecurity consolidation mean for account executives?
Every acquisition creates a downstream knowledge burden that lands directly on the AE. When Palo Alto Networks acquires CyberArk, every Palo Alto AE inherits identity security positioning they need to articulate on a live call. When ServiceNow acquires Armis, their sales team must suddenly understand asset discovery and OT security. When Google closes Wiz, their cloud sales motion now includes a full CNAPP story that didn't exist in their talk track last quarter.
Each deal means new integrations to learn, new competitors to position against, new compliance implications to articulate in real time, and new objection handling for prospects skeptical of platform consolidation.
This isn't a one-time disruption. The Ropes & Gray Q3 2025 report identifies consolidation and platformization as the key theme driving M&A activity, with segments like identity, cloud security, and data security consolidating at an accelerating pace. Multiple industry analysts predict strong consolidation continuing through 2026.
The industry is moving toward fewer, larger, more complex platforms. Buyers expect AEs to understand the full stack: endpoint, identity, cloud, data security, compliance, all in a single conversation. But the resources available to those AEs haven't scaled to match.
How are cybersecurity AEs actually performing against quota?
The quota attainment data is sobering, and it predates the 2025 M&A wave.
Enterprise AEs are the hardest hit. The RepVue Cloud Sales Index (Q4 2024) reported that enterprise account executives achieved only 38.2% quota attainment, the lowest of any segment tracked. Average attainment for revenue closers overall hovered between 58% and 59% in 2025.
The majority of reps are missing quota. Salesforce research from 2025 found that 67% of reps didn't meet quota by year's end. Xactly's 2025 Sales Compensation Report found that 87% of B2B sales professionals are struggling with quota attainment. QuotaPath's compensation trends survey found that 91% of companies failed to achieve 80% or more of their quota targets.
Only a small fraction of sellers excel. According to industry benchmarks, only 24.3% of salespeople exceed their yearly quota, making consistent attainment a rare achievement.
Meanwhile, buyers are getting more sophisticated. Zscaler data from the first half of 2025 showed that enterprise use of AI and ML tools increased over 3,000% year over year. Buyers are arming themselves with AI-powered research before they ever get on a call, while sellers are still relying on static training decks and quarterly SKOs.
Sources: RepVue Cloud Sales Index Q4 2024 (via Everstage); Salesforce State of Sales 2025 (via Highspot); Xactly 2025 Sales Compensation Report; QuotaPath 2024 Compensation Trends Report; Zscaler (via Ropes & Gray Q3 2025).
Why can't sales training and enablement close the cybersecurity knowledge gap?
Training and traditional sales enablement are structurally incapable of keeping pace with the rate of change in cybersecurity product portfolios. Three data points explain why:
Training doesn't stick. Research consistently shows that 87% of sales training content is forgotten within 30 days. The forgetting curve is not a motivation problem; it's a cognitive science problem. No amount of better instructional design solves the fundamental issue of information decay when AEs are expected to retain positioning across dozens of product categories, compliance frameworks, and competitive landscapes simultaneously.
Enablement content goes unused. Studies indicate that 65% of sales enablement content is never accessed by reps. The content may exist in a knowledge base or Confluence wiki, but it doesn't reach the AE at the moment they need it, which is mid-conversation, not three hours later when they have time to search for it.
Buyers are opting out of the rep experience entirely. Gartner found that 61% of B2B buyers now prefer purchasing without a sales rep involved at all, up from 33% in 2019. They aren't anti-human. They're anti-unprepared. When a CISO can get more accurate technical answers from ChatGPT than from the AE on the other end of a Zoom call, the AE's role is actively being questioned.
The traditional answer to "the AE can't go deep enough" is to bring in a Solutions Engineer. But SE-to-AE ratios are already stretched, and every "let me bring in my SE for that" adds days to the sales cycle. Research shows that 78% of B2B buyers choose the vendor that responds first. Every deferred answer is a competitive opening for someone else.
What is the financial cost of the AE knowledge gap in cybersecurity?
The cost of inadequately equipped AEs compounds across four dimensions, and the total is measured in millions per year for mid-market and enterprise cybersecurity vendors.
Lost deals from deferred technical questions. Corporate Visions analyzed over 100,000 B2B deals and found that 53% of lost deals were actually winnable, meaning the loss was attributable to sales execution, not product-market fit. In cybersecurity, where buyers are technically sophisticated and expect real-time competence, each "let me get back to you" reduces win probability and extends the sales cycle. Allego research found that reps cannot answer 40% of buyer questions. Salesforce found that 82% of B2B buyers believe reps are unprepared.
Pipeline velocity drag. Every deferred question adds an estimated 2-3 days to the sales cycle. Deals that slip one month past their optimal close window lose approximately 60% of their close probability. At two months past optimal, that figure approaches 90%.
Security questionnaire friction. Research shows that 54% of companies report lost deals attributable to security questionnaire delays. The financial impact scales by segment: SMBs lose an estimated $65,000-$100,000 annually, mid-market companies $850,000-$1.55 million, and enterprise vendors $5 million-$9.5 million, combining direct labor costs, lost deals, pipeline velocity drag, and opportunity cost from deals never pursued because the questionnaire process was too painful to start.
Quota attainment collapse at the team level. When 67% of reps miss quota, the revenue shortfall isn't marginal; it's structural. For a cybersecurity vendor with 50 AEs carrying $1 million annual quotas, the gap between current attainment (58-59%) and target (80%+) represents $10-11 million in unrealized annual revenue.
What would actually close the knowledge gap for cybersecurity AEs?
The companies that will win disproportionate market share in cybersecurity aren't the ones with the best training programs. They're the ones that solve the knowledge problem at the point of conversation. Not after the call, not in a Slack thread, not in a quarterly SKO that 65% of reps won't retain anyway.
The requirements are specific:
Real-time knowledge access during live calls. Not a searchable wiki, but contextual intelligence surfaced automatically based on what the prospect is actually saying. When a prospect mentions a failed SOC 2 audit, the AE needs compliance talking points appearing on their screen in seconds, not after a post-call research session.
Competitor battlecards triggered by mention, not by memory. When a prospect names CrowdStrike, SentinelOne, or Palo Alto Networks, the AE needs instant positioning: their weaknesses, your edge, landmine questions to plant, and traps to avoid. This can't depend on the AE remembering which battlecard to pull up mid-conversation.
Compliance and security questionnaire fluency on demand. With 54% of companies losing deals to questionnaire friction, the AE who can speak to SOC 2 Type II, FedRAMP, ISO 27001, or HIPAA implications in real time has a structural advantage over the one who says "I'll have our compliance team get back to you."
Discovery coaching that catches anti-patterns live. MEDDPICC qualification isn't useful as a post-call CRM exercise. It's useful when the AE is in the conversation and can see that they've accepted surface-level pain without digging deeper, or that they've covered Metrics and Decision Criteria but haven't identified the Economic Buyer.
Post-call automation that captures institutional knowledge. Every sales call generates insights about buyer objections, competitive positioning, and deal risks. If those insights die in a rep's notebook, the organization never compounds its knowledge. Automated call summaries, MEDDPICC updates, and follow-up drafts convert every conversation into organizational learning.
The math is straightforward: make the average AE as technically credible as the best SE on every call, and the revenue impact is measurable within a single quarter.
Frequently Asked Questions
What is quota attainment in cybersecurity sales?
Quota attainment measures the percentage of an assigned sales target that an AE actually achieves in a given period. In cybersecurity, enterprise AEs currently average 38.2% attainment according to the RepVue Cloud Sales Index, significantly below the 80% benchmark that most sales organizations target. Forrester notes that median seller attainment of approximately 50% is common across B2B sales and does not necessarily indicate underperformance at the individual level, but at the team level, it represents a structural revenue gap.
Why is cybersecurity M&A accelerating in 2025 and 2026?
The primary drivers are platform consolidation (vendors acquiring complementary capabilities to offer unified security platforms), strong enterprise demand for fewer vendor relationships, record capital availability, and the emergence of AI security as a new high-growth category. Momentum Cyber projects sustained M&A activity through 2026, with cloud security, identity, and data security segments consolidating fastest.
How does M&A activity affect cybersecurity sales teams?
Each acquisition expands the product portfolio that AEs must sell and support. Reps inherit new product categories, new competitive landscapes, and new compliance positioning requirements, often without proportional increases in training time, enablement resources, or SE support. The compounding effect of multiple acquisitions within a single vendor (e.g., Palo Alto Networks completing 14+ acquisitions since 2019) creates a knowledge burden that exceeds what periodic training can address.
What percentage of B2B sales reps miss quota?
Industry data consistently shows that 67% of reps miss quota (Salesforce, 2025), only 24.3% exceed their annual target, and 91% of companies fail to achieve 80% or more of their quota targets (QuotaPath). Enterprise segments perform worse than mid-market or SMB, with enterprise AEs averaging 38.2% attainment.
Why doesn't sales training solve the AE knowledge gap?
Training faces two structural problems: 87% of content is forgotten within 30 days (the Ebbinghaus forgetting curve), and 65% of enablement content is never accessed by reps. The rate of change in cybersecurity product portfolios, driven by M&A, new threat categories, and evolving compliance frameworks, exceeds the capacity of periodic training programs to keep AEs current. Highspot's 2025 State of Sales Enablement Report found that coaching with real-world scenarios improves quota attainment by 23%, but even that improvement requires the coaching to happen at the point of need.
What is the cost of a cybersecurity AE saying "let me get back to you"?
Each deferred technical question adds an estimated 2-3 days to the sales cycle, and 78% of B2B buyers choose the vendor that responds first. Corporate Visions found that 53% of lost B2B deals were actually winnable. In cybersecurity specifically, where average deal sizes range from $50,000 (SMB) to $500,000+ (enterprise), the revenue impact of even a small percentage improvement in win rates is substantial.
What is the cybersecurity sales enablement market opportunity?
No single vendor currently combines cybersecurity-specific domain knowledge with AI-native real-time sales enablement. General-purpose tools like Gong, Chorus, and Microsoft Copilot dominate conversation intelligence but lack cybersecurity domain depth. Questionnaire automation platforms like Conveyor, SafeBase, and Responsive own a narrow slice but don't address live call intelligence. The intersection (vertical-specific, real-time, AI-powered sales enablement for cybersecurity) remains unowned.