LevelBlue Closes Cybereason Acquisition, Marking a Year of M&A

In the cybersecurity industry, 2025 was a notable year. At one end of the scale, startups emerged from stealth following multi-million-dollar equity injections by well-funded,

private investment firms. At the other end, security product and services vendors continued to consolidate, following an uptick in acquisition activity, fueled by eye-watering levels of cash injections. Many purchasers were known serial acquirers –

Google buying Wiz, Palo Alto Network’s purchasing of CyberArk and SentinelOne snapping up Prompt Security and Observo AI – but others flexed their M&A muscles for the first time following a restructure, rebrand – or both.

Formed in May 2024, LevelBlue was created as a joint venture between the

cybersecurity services business of US telco behemoth AT&T and Chicago-based private equity firm WillJam Ventures. With inherited clients, services and legacy products – such as AlienVault in managed cloud security (or Managed SASE) - LevelBlue began a multi-year task, re-envisioning itself as the world’s largest pure-play provider of managed security services with a unified integrated ecosystem under one umbrella.

Its strategy would be to integrate these acquired companies to create a powerful, unified cybersecurity services provider, rather than just a collection of different businesses.

It wasn’t until mid-2025 though that the initial vision started to become a reality when the company embarked on a five-month acquisition spree:

• June 2025 – Aon’s Cybersecurity and IP litigation consulting groups, Stroz Friedberg and Elysium Digital

• July 2025 – MDR provider Trustwave

• October 2025 – Endpoint protection and XDR provider Cybereason

With the addition of Stroz Friedberg’s digital forensics and incident response expertise, and Elysium’s intellectual property and trade secrets disputes capabilities, Richmond Advisory Group saw at the time that the move marked a significant shift in the

cybersecurity landscape that could help LevelBlue become the largest independent pureplay Managed Security Services Provider (MSSP) globally. Our view was further

strengthened following the acquisition of Trustwave. The combination of LevelBlue’s AI-driven threat detection and orchestration capabilities with Trustwave’s mature threat intelligence (via SpiderLabs) and global incident response services is generally complementary, while the extended regional presence (including UK, Australia & Middle East) and public sector solutions (inc. FedRAMP and GovRAMP authorizations), builds out a portfolio with wider appeal.

Cybereason: the Surprise “Autumn Baby”?

In October 2025, more than a few eyebrows were raised when LevelBlue announced its intention to acquire Cybereason. Although well-known for its capable security technology, the company had gone through an extended period of public "drama" and leadership changes. Prior to being bought by LevelBlue, Trustwave itself had planned a merger with Cybereason in November 2024, only for it to be called off in March 2025.

But Cybereason represented a valuable opportunity, and a period of stability at the company appears to have reassured LevelBlue that it would not be inheriting a company at odds with itself. Cybereason’s underlying strengths - its technology, its market presence in key regions, and its expert teams - made it an ideal target for

LevelBlue's "aircraft carrier" strategy, for three key reasons: market access, elite services, and integrated technology.

• Extended market access. The relationship with SoftBank is critical. As a strategic partner and investor LevelBlue says that SoftBank is Cybereason's largest channel partner in Japan – two-thirds of Cybereason’s revenue comes from the region. LevelBlue would have significant difficulty doing this on its own. Beyond Japan, the acquisition strengthens LevelBlue's presence in the Middle East and parts of mainland Europe, areas where the companies' footprints were complementary.

• Building out a world-class incident response team. With Stroz Friedberg,

  LevelBlue gained a highly respected practice with deep connections to top law

  firms and breach coaches, adding to the foundational credibility and expertise in threat research via LevelBlue’s own SpiderLabs. The purchase of Cybereason

  brings a team with significant experience in Digital Forensics & Incident

  Response (DFIR) along with access to dozens of cyber insurance panels. In

  combination with the Open Threat Exchange (OTX), LevelBlue can hope to create a multi-faceted intelligence asset that they can “weave” through the fabric of their platforms.

• Integrated technology and platforms. The purchase of Cybereason brings first-party owned technology, reducing the reliance on third-party vendors – although strategic partnerships remain key to offering options for customers. Given that former members of Trustwave’s senior team are now driving LevelBlue’s security strategy, this will help address integration challenges. Many have been working with Cybereason's technology for 6-7 years in its MDR practice, meaning they already have deep expertise with the acquired firm’s tools.

The Gist

Fast-forward to post-Thanksgiving 2025, where the late-November completion of the Cybereason acquisition represents a key milestone in LevelBlue’s broader strategic roadmap. The company is actively positioning itself to be a major consolidator in the highly fragmented cybersecurity market. Incorporating its acquisitions, the company is placing larger significance on incident response and the “pull through” its combined capabilities will bring to its MDR, Managed Cloud Security and Consulting offerings.

That the 18-month-old firm spent the first year of its formation establishing its business structure, operations and portfolio strategy is to be expected. Maintaining existing customer contracts and sustaining organic growth needs to be a priority. For LevelBlue, inorganic growth - e.g. via M&A - can follow if/once this first objective is secured. This approach also provides protection from competitive “poaching” - always a danger during a time of disruption. MDR competitors such as CrowdStrike, SentinelOne, Sophos, IBM and many other providers (and their partners) would happily welcome new logos to their own platforms.

This is where LevelBlue’s strategy separates it from some MDR competitors, such as SentinelOne and Sophos, which are less vendor agnostic. It has built itself to be a vendor-agnostic, integration platform - a company designed not just to buy other companies, but to incorporate them in a way that creates synergistic value. This is reassuring for existing and new customers who fear potential lock-in or unplanned purchases. For LevelBlue, each acquisition appears to be additive, making the whole stronger than the sum of its parts, rather than creating a disconnected portfolio of brands.

If the story of LevelBlue appeared to have already been written by the time its first anniversary came around, its acquisition spree in the second half of 2025 well and truly tore that up. The acquisition of Cybereason topped a year where the company gained

significant regional market access, built a stronger global incident response team, and integrated valuable, proven technology to strengthen its core platform. Richmond Advisory Group believe that – if executed well - LevelBlue has put in place the

components of a new market powerhouse, positioning itself to define and secure what's next in a consolidating cybersecurity industry.