Announcing the 2026 Cyber 150

For the second year running we have used the data in the IT-Harvest Dashboard to identify the top 150 midsize cybersecurity companies. We issue this report with zero interactions with the vendors. Until today most of them have not even been aware that they were up for an award. PRESS RELEASE

Last year’s winners demonstrated how a data platform such as the IT-Harvest Dashboard can identify the up-and-comers. Eight have grown beyond the inclusion criteria. Cyera, the data security posture management (DSPM) leader grew 115% and announced yet another round of $400 million, bringing their total investment to $1.7 billion. Calcalist reports they are valued at $9 billion.

Methodology

We simply set up a filter for vendors with a minimum of 50 head count and a maximum of 500. That provided us with the list of 811 vendors including last year’s cyber 150 awardees. After removing those that had grown past 500 head count there were 767 vendors between 50 and 500 HC with positive growth last year. In the top 150, two had already been acquired. SGNL by Crowdstrike for an astounding $740 million, and Koi by Palo Alto Networks, Feb 17, 2026 at $400 million.

Head count is determined by monitoring LinkedIn data for each company.

The Winners

Here is a Google Sheet of the 150 winners of this year’s award. The smallest growth recorded was 25%, very similar to last year’s 24%.

Top Ten by Growth

And here are short descriptions of each of the top ten taken from the Dashboard.

TENEX.AI provides next-generation Managed Detection and Response (MDR) services that combine artificial intelligence with human expertise to detect and respond to enterprise security threats. The platform operates as an extension of client teams through proactive threat management, continuously identifying vulnerabilities and emerging risks to implement defenses before threats impact operations.

XBOW provides an artificial intelligence-powered penetration testing service that conducts autonomous security evaluations of applications. Their platform employs multiple specialized artificial intelligence agents operating collaboratively to identify, analyze, and exploit security weaknesses within digital assets. Each agent functions independently yet coordinates within a centralized management framework that guides systematic examination of applications’ full scope.

Sublime Security, a 2025 winner, operates an adaptive, AI-powered email security platform that deploys autonomous agents to detect, triage, and respond to email threats. The platform uses specialized AI models including natural language processing and computer vision to identify and prevent phishing attacks, business email compromise (BEC), malware, and novel threats.

Fable, founded only in 2024, combines AI, behavioral science, and adtech to manage human risk in enterprises. The platform identifies risky user behaviors and delivers real-time, personalized interventions designed to change security-related actions and decisions. These interventions include AI-generated training content, nudges, two-way chats, workflows, and simulations delivered directly within employee workflows. Listen to my podcast with CEO Nicole Jiang-Gibson here.

Noma Security provides unified AI and agent security and governance across enterprise AI environments, delivering visibility and control from model development through application runtime and autonomous agents. The platform performs continuous discovery of AI assets and agents within organizational environments, offering deep contextual understanding of agent profiles including toolsets, functionality, data access permissions, and operations.

Adaptive Security only passed 50 people in November of 2024. Today it is at 187 and it grew 180%+ last year. OpenAI invested in Adaptive in April. It operates a platform designed to train people and organizations against threats most likely to target them. The company offers two primary products: Adaptive Phishing and Adaptive Training.

VulnCheck raised an additional $25 million in February. It operates as an exploit intelligence provider focused on addressing vulnerability prioritization through automation-first delivery mechanisms. The company maintains a continuously updated database containing over 400 million records spanning all documented Common Vulnerabilities and Exposures, sourced from approximately 500 distinct channels. Their system automatically gathers vulnerability and exploit-related information at the moment of public disclosure, refreshing the entire dataset every eight hours without manual intervention requirements.

Formal operates as a protocol-aware reverse-proxy for datastores and APIs, enabling security teams to understand and control data access within their infrastructure. The platform deploys within customer VPCs as a single distroless Docker image, ensuring data never flows through Formal’s systems and remains under the organization’s complete control.

Prophet Security develops an AI SOC Platform powered by an agentic AI SOC Analyst that autonomously triages and investigates security alerts. The platform performs alert triage by determining severity levels, prioritizing alerts based on importance, and providing remediation steps that integrate with existing workflows. It gathers evidence across security infrastructure and correlates data from multiple sources to build comprehensive investigation plans

CleanStart provides a repository of secure, lightweight container images designed to help organizations build safer software supply chains. The images are minimal, hardened, and continuously verified to reduce risk and streamline deployment.

How many were repeat winners?

There were a handful of the 2025 Cyber 150 that graduated by exceeding 500 head count. Eight to be exact:

There were 47 repeat winners of the Cyber 150 Award. Keep in mind that it is much harder to grow by the same or more in percentage terms when you are a bigger company. Kudos to these 47. Here are the top ten:

Half of these took in new funding to fuel their growth. Indeed, 24 of the 47 received new funding in 2025.

What about Categories?

It is astounding to me that AI Security led in number of vendors per category in this year’s list. I should not have been surprised after compiling 378 AI Security companies for Guardians of the Machine Age: Why AI Security Will Define the Future of Digital Defense. (Available this week on Amazon.)

Here is the breakdown by category.

Guess the country distribution.

You guessed it. The USA leads, followed by Israel and the UK. Here are how all the countries are represented by the 2026 Cyber 150.

Going to RSAC 2026?

Thirty-nine of the Cyber 150 will be exhibiting at RSA Conference 2026 the week of March 23. I have noted those in the spreadsheet with booth numbers. Or you can see the full list in the 2nd tab.

Do you sell to cybersecurity companies?

If you offer marketing services to cybersecurity companies you can see the value of this data. Or you may be a recruiter or responsible for getting sponsors for your own cybersecurity events or CISO dinners. While 150 prospects is a great start, think what you could achieve if you had access to data on 4,000+ vendors and their products. Reach out to set up a demo of the only platform for researching the entire industry, dashboard.it-harvest.com.

Comments

[Konnor Andersen]

QQ - It looks like on the category you have moved the Cloud Vendors into AI Security, any specific reasoning behind it?