$82 billion, three targets — identity is one of them

The Dutch M&A advisory firm Hogenhouck just published 2025 numbers for cybersecurity deal-making. The headline: $82.2 billion in transactions, a 63% jump year-over-year, and a Q4 spike of $14 billion across 96 deals — 637% above Q4 2023.

Bigger than the volume is the shape of it. The piece names three things acquirers are buying:

1. AI for defence
2. Cloud security
3. Identity Access Management

That's our segment. So this post isn't we sell to you, the prospect — it's here is the market thesis we are building against, and why we think the shape of this platform is right for it.

The Rule of 40 changed valuations 3.5×

The single most useful number in the report isn't the deal volume. It's this:

Companies above the Rule of 40 (revenue growth + profit margin ≥ 40%) command 9.0× revenue in this market. Companies below it get 2.6×.

3.5× difference for the same dollar of revenue. The 2021 era of growth-at-all-costs is over. Acquirers are pricing efficient growth, not raw growth.

This isn't an exit story for us — we're nowhere near that conversation, and our north star is shipped product, not multiples. But it changes how we build. Every architectural decision now has a "does this help us hit Rule of 40" overlay. EU-only infrastructure costs less than two-region replication. A programmable-policy library costs less to support than a managed-policy SaaS. Native-binary CLI costs less to host than a control plane. The list goes on.

The product was already shaped this way. The market just put a number on why.

Three named targets — and the one we sit in

The Hogenhouck thesis is that consolidation moves from feature-vendors to platform-vendors. Buyers don't want six point solutions; they want one platform with six surfaces.

For identity specifically, "platform" means at least:

• Authorization — an OAuth 2.0 / OIDC server that understands who the user is and which IdP authenticated them.
• Verification — a verifier that accepts Verifiable Credentials (SD-JWT VC, mDoc) from any wallet.
• Issuance — a credential issuer that can mint signed VCs from existing user data.
• Trust anchors — a registry of which issuers and which credential types are trusted, queried in real time.
• Wallets — both an embeddable SDK and a server-side cloud wallet, so users with no wallet app are not locked out.
• Policy — a rule layer that turns claims into allow/deny decisions you can read, version, and audit.
• Enforcement — the surface where credentials actually unlock things.

We ship all of those. They share an authorization model, an audit pipeline, a billing surface, and a customer-self-service console. That is the platform shape the report is describing — and it is the shape that gets the 9.0× multiple, not the 2.6×.

Important: we're not laying claim to the multiple. We're laying claim to the architecture the multiple is paid for.

Why EU-only is now a market signal, not just a regulatory one

The Hogenhouck research is targeted at Dutch and EU founders. The article frames a "decisive phase" for European cybersecurity entrepreneurs. That overlaps almost exactly with our own positioning: EU-only infrastructure, no CLOUD Act exposure, eIDAS 2.0 / ARF 1.4+ verifier.

Until now, EU-only was mostly a regulatory pitch. NIS2, eIDAS 2.0, and DORA push enterprises toward sovereign infrastructure. The Hogenhouck data adds a market pitch on top: European identity platforms are part of a record-breaking M&A wave specifically because European buyers — and increasingly American ones buying European subsidiaries — want platforms whose trust posture survives a regulatory audit.

So when our home page says "Programmable trust, on EU-only infrastructure. No CLOUD Act exposure", we now have two reinforcing reasons that matters: the regulator and the market.

What the report doesn't say

The piece does not name acquirers or targets. It is positioning research, not deal flow. We treat it as such — useful for narrative, not for pipeline.

It also does not break down deal volume by sub-segment within IAM. "Identity" in the report includes everything from password vaults to SSO to verifiable credentials. We are at the verifiable-credentials end of that spectrum (the EU-pulled, eIDAS-2.0-shaped end), which is a small slice of the total but the slice with the longest legs in front of it.

What we do with it

Three things, in order of leverage:

1. Keep building toward Rule of 40. Every story in our backlog gets the same overlay: does this push ARR efficiently, or does it pull cost in faster than revenue? Most things our scale should be doing already pass that test, but the explicit anchor is useful.
2. Lead positioning with "platform," not "verifier." The report validates that buyers pay a premium for platforms over features. Our products page starts with Broker because that's the integration surface; but the deeper pitch is the ten building blocks that share one trust model. Sales conversations should start there.
3. Stay honest about what is shipped. Our CLAUDE.md rule is public claims must reflect shipped behaviour — and that gets tested harder, not softer, when the M&A market is paying for "platform." Marketing pages, demo gallery, and pricing are kept on a schedule of audit-then-update for exactly this reason.

The platform thesis is not new for us. It is the reason the /products/demos gallery exists, the reason we ship a thoryn CLI that touches every plane of the platform, and the reason every story in the backlog cross-references at least two products. The M&A market just added a number to it.

---

The Hogenhouck research is at dutchitchannel.nl. All figures cited are theirs.