Article
25/06/2025

Tech: Cybersecurity and CDD – what investors should know

Ifan Dafydd recently spoke to Actum Group to explore why cybersecurity businesses are so often on investors’ subsectors of interest. Following that conversation, we are taking a deep dive into the importance of Commercial Due Diligence (CDD) when assessing cybersecurity service providers. 

Cybersecurity services vs software 

In the UK midmarket, PE deals involving pure-play cyber software businesses are rare, given they are typically either early stage or scale rapidly, bypassing the need for midmarket PE investment in favour of VC funding or strategic exits. For this reason, most interest and activity within the UK midmarket has been in cyber services business. 

Several macro and structural trends are fueling demand for cybersecurity services and are creating strong market tailwinds. These include a sectoral talent shortage (driving outsourcing), an evolving threat landscape, digital transformation and shift to the Cloud, rising insurance premiums as well as regulatory pressures in some industries. 

High value vs. commoditised services 

However, not all cybersecurity services are valued equally. Some are becoming increasingly commoditised whilst others are more complex, high value and strategic. Broadly speaking, we can categorise cyber services into three main buckets: 

1. High value, strategic services these services are highly tailored, require deep expertise, and are often aligned with business outcomes. Examples include: 

  • Cybersecurity strategy and governance 
  • Security architecture and design 
  • Incidence response planning 
  • Zero-Trust architecture implementation 

2. Operational, differentiated services – these services are still valuable but are more repeatable and process-driven. Examples include: 

  • Security Operations Centre (SOC) 
  • Managed Detection and Response (MDR) 
  • Identity and Access Management (IAM) implementation and support 
  • Managed Secure Access Service Edge (SASE) 
  • Red teaming 
  • Chief Information Security Officer (CISO) as a service 

3. Mature, commoditised services – these services are often automated and price-sensitive, though they can still be valuable as part of a broader service offering. Examples include: 

  • Firewall management 
  • Antivirus / endpoint protection deployment 
  • Basic compliance reporting 
  • Basic penetration testing 
  • Security auditing and cyber accreditations 
  • Cyber software/hardware resell 

Understanding where a business sits on this spectrum, or the weight of revenue coming from each service line, is critical for valuation and investment strategy. 

Importance of CDD in valuation

Cybersecurity services businesses often trade at a premium. However, this premium is increasingly contingent on clear differentiation and value-add. Commercial Due Diligence plays a key role in understanding the value of a cybersecurity services business. Good quality CDD should provide investors’ confidence with understanding: 

What the business actually does (vs. what it claims to do) 

Cyber service firms often use broad or overlapping terminology – like “MDR”, “SOC”, “XDR” – which can mask significant differences in capability, delivery model (automated vs resell vs human led) and therefore valuation. 

How differentiated is its offering

Is the business offering something unique or defensible? Does the business have any proprietary, processes, IP or deep sector expertise? Are clients buying because of trust and expertise, or just price? Is it backing the right cyber software vendors? 

Whether it delivers true value-add or commoditised services 

Most cyber services businesses are a mix of high-value and low-value offerings. CDD can help investors map out which service lines are strategic growth drivers, and which areas may be margin-dilutive or hard to scale. It can also help prioritise where to invest post-acquisition to maximise value at exit. 

Bridge the valuation gap 

Given the current mismatch between buyer and seller expectations, CDD can provide the evidence base to justify valuation (or negotiate it down), structure earn-outs or deferred consideration around performance and build a credible investment thesis. 

In summary, high-quality, thorough CDD is the difference between buying a premium, differentiated platform at the right price and overpaying for a generic services business riding the cybersecurity wave. 

Outlook for H2 2025 and beyond

Our discussions with corporate finance advisors, Private Equity firms and management teams suggest that H2 2025 will provide plenty of cybersecurity deal opportunities. If you are interested in investing in this space, or looking to understand a specific cyber business in more detail, speak to: 

Ifan Dafydd

idafydd@armstrong-ts.com
+44 7792 158 738

Email Ifan