Private Equity and Cybersecurity Under the Microscope
2–23–2026 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, February 23, 2026, and I’d like to congratulate both the US Men and US Women’s hockey teams on their gold medals at the Olympics. The men’s game was one of the best I’ve ever seen, and if there’s not a dental clinic somewhere in New Jersey rushing to gift a set of gold replacement teeth to Jack Hughes, you’re missing a truly golden opportunity.
This week we’ve got the intersection of private equity and cybersecurity front an center, thanks to a long piece published last week by Bloomberg, so let’s jump right in.
Private Equity and Cybersecurity Under the Microscope
In a long piece titled “How Private Equity Debt Left a Leading VPN Open to Chinese Hackers,” Bloomberg’s Jordan Robertson and Paula Seligson detail the trials and tribulations of VPN tool PulseSecure, and by extension, their parent company Ivanti.
The article details in what appears to be very well sourced detail just how the ownership structure of PulseSecure lead to a loss of both institutional knowledge on how the product worked, and runway to continue to make security investments.
The quotes don’t leave much room for interpretation, including:
“private equity firms often prioritize increasing profits and paying down debt over continuous investment in product development”
“significant pressure to cut costs resulted in Ivanti’s private equity owners firing, among others, engineers critical to maintaining Connect Secure at a time of escalating cyberattacks”
For their part, “Ivanti rejects the notion that cost-cutting measures compromised the safety of its Connect Secure products, according to a statement the company provided to Bloomberg News. It added that the quality of Connect Secure has improved under Ivanti’s ownership.”
The article contains new reporting on some attacks carried out in Pulse’s own data centers, as well as carried out on victims through its vulnerabilities, noting that “Chinese hackers had compromised the network of Pulse’s California data center via one of Pulse’s own VPNs” and “Ivanti ultimately determined that 119 organizations were compromised” in similar attacks.
There’s also some good detail about the financing challenges that are driving some of these decisions, including the use of so-called “distressed debt exchanges,” “in which private equity-owned firms conduct out-of-court debt restructurings with their lenders’ permission.”
The article cites a research paper that notes “More than half of firms that used the exchanges between 2009 and 2022 defaulted on their debt again.”
This article also comes on the heels of a piece in the Financial Times entitled “How private equity’s big bet on software was derailed by AI.” This article lays out the fact that investors are worried new capabilities from Anthropic’s Claude could undercut the moats of their software investments.
That’s important because “Takeovers of software companies by private equity funds accounted for about 40 per cent of trillions of dollars in deal activity over the past decade by some estimates. Such deals also represent nearly a third of lending in the fast-growing private credit industry.”
Now that it’s more expensive to borrow, an eroding moat (and, by extension, revenue stream) can create the exact situation facing Ivanti as their customers are walking away from the product for alternatives.
This may be why Morning Brew lead with the headline over the weekend “Is private equity past its prime?” But - as we’ll see in the fundraising portion of this show in a bit, investors continue to pour money into the asset class. Sunk cost or smart timing?
Anthropic’s Claude released a tool last week - Claude Code Security - that promises to make “frontier cybersecurity capabilities available to defenders.”
In a bit of an ironic twist, this may be just the sort of tool that PulseSecure might’ve needed back in 2020, 2021, or 2022 as it was facing real challenges.
Regardless, there’s a clear challenge here that involves not only threats, but also incentives, transactions, and macro trends spanning both the geopolitical and AI arenas, each of which are perpetually thorny.
It’s hard to draw a fulsome conclusion from a single article, but it should serve as a cautionary tale - if not for all PE investments, at least for those that are cybersecurity products or services. You can cut costs, but cut security capabilities at your own risk.
Fundraising
From a fundraising perspective, we’re seeing the exact opposite of what you’d expect given our discussion, with more than $40B in newly committed capital over the past week, including:
Thrive Capital raised $1b for its latest early-stage strategy and $9b for growth-stage deals;
Veritas Capital raised $15.3b for its ninth PE fund and related vehicles;
Battery Ventures raised $3.25b for its 15th flagship fund;
JLL Partners raised $1.4b for its ninth fund targeting the middle market; and
HGGC, co-founded by Hall of Fame quarterback Steve Young, raised $3.2b for its fifth fund.
I can’t square this circle for you, but it remains a fun game to watch and be a part of.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.ft.com/content/954ed03b-4119-4412-be9f-59f68b537a95