How to Value a Cyber Security Consulting Firm in 2026

Cyber security consulting is one of the most mispriced segments I see in the lower middle market. Founders routinely assume their firm should trade at the same multiples as a pure-play MSSP or a SaaS security vendor, and they walk into negotiations disappointed. On the other side, buyers who understand the difference between "recurring assessment work" and "true recurring revenue" are quietly paying 8-9x for the right firms and 4-5x for everyone else.

After working on a number of these deals, the pattern is consistent. Let me walk you through how cyber security consulting firms actually trade in 2026.

The Multiple Range: 5x to 9x EBITDA

The headline range for cyber security consulting firms with $1M-$10M in EBITDA is 5x to 9x adjusted EBITDA. That's a wide range, and where you fall inside it depends almost entirely on the mix of work you do and the quality of your bench. Strategic buyers like Accenture, Deloitte, Kroll, Optiv, and GuidePoint have all been active consolidators, and PE-backed platforms like Bridewell, NCC Group, and Sikich have been rolling up specialty firms aggressively since 2023.

For context, Accenture's acquisition of Symantec's Cyber Security Services business and Google's $5.4B purchase of Mandiant set the ceiling for large, branded practices. At the lower middle market, Kroll, Schellman, and CrowdStrike Services have been paying 7-9x for firms with strong incident response capabilities and federal credentials.

Retainer Work vs Project Work

This is the single biggest driver of where you fall in the multiple range. Buyers draw a sharp line between project-based revenue and true retainer revenue, and they value them very differently.

Project-based revenue — one-off penetration tests, SOC 2 readiness assessments, red team engagements, compliance audits — is valuable but lumpy. A $50,000 pen test in Q1 doesn't guarantee another in Q2. Firms that are 80%+ project work trade at 4-6x EBITDA, regardless of how strong the technical bench is, because buyers underwrite the sustainability risk.

Retainer revenue — vCISO engagements, managed detection response, continuous pen testing programs, ongoing GRC support — is what buyers actually pay for. A firm with 60%+ of revenue on 12-month retainers with auto-renewal clauses will trade at 7-9x EBITDA, sometimes higher if the retainer base is growing. The math is simple: a strategic acquirer can cross-sell their existing product stack into your retainer accounts on day one.

I worked on a firm last year with $4.2M EBITDA that was 70% vCISO and continuous testing retainers. They took offers at 8.5x. A competitor with nearly identical EBITDA but a project-heavy mix sold six months later at 5.2x. Same technical capabilities, $13M difference in exit value.

Certifications Are Not Optional

In cyber security consulting, certifications are a gating factor for buyer interest. They're not a nice-to-have — they're what allows a buyer to staff your work after the acquisition without losing client relationships.

CREST accreditation is the benchmark for pen testing firms, especially if you work with UK, EU, Middle Eastern, or financial services clients. CREST-accredited firms command a 1-2 turn premium over non-accredited competitors because the accreditation is expensive and slow to obtain, which makes it a moat. CBEST and STAR certifications extend that premium for firms serving regulated financial institutions.

OSCP, OSCE, and OSEE on the bench signal genuine offensive capability. Buyers will literally count the number of OSCPs on your staff during diligence. A firm with 15 consultants where 10 hold OSCP is worth meaningfully more than a firm of 20 where only 3 do, even if revenue is identical.

CISSP, CISM, and CCSP matter for vCISO and GRC practices. If you're selling vCISO retainers to regulated industries, buyers expect your senior consultants to hold CISSP at minimum.

FedRAMP 3PAO, CMMC C3PAO, and PCI QSA designations are gold. They create regulatory moats, they're tied to recurring compliance calendars, and they command premium day rates. A PCI QSA firm with a clean track record will trade a full turn above a comparable firm without the designation.

Day Rates and Utilization

Buyers will reconstruct your P&L on a per-consultant basis. Here's the framework they use:

• Senior pen testers / red teamers: $2,500-$4,500 blended day rate, 65-75% utilization target
• vCISO / GRC consultants: $1,800-$3,000 day rate, 70-80% utilization
• Incident response leads: $3,500-$6,000 day rate on retainer, higher on active engagements
• Junior consultants: $1,200-$1,800 day rate, 75%+ utilization expected

If your utilization is below 60%, buyers assume you have a sales problem and discount accordingly. If it's above 85%, they assume you're capacity-constrained and ask whether growth is even possible. The sweet spot is 70-78% with a visible pipeline.

What Kills Cyber Security Firm Value

Founder-dependent rainmaking. If you personally close 60%+ of new business, buyers treat your firm as a capability shell around one person. Expect a 3-year earn-out and a turn or two off the multiple. The fix is building a named business development function and documenting how deals actually close.

Customer concentration. One client over 20% of revenue is a yellow flag. Over 30% is a dealbreaker for most strategic buyers. I've seen firms with great bench and great margins get repriced from 8x to 5.5x in diligence because their top account represented 40% of revenue.

Subcontractor-heavy delivery. Firms that rely on 1099 contractors for 40%+ of delivery get discounted because buyers can't guarantee those resources transfer. Direct W-2 staff with non-competes is worth 1-1.5 turns more.

No IP or methodology. Documented methodologies, internal tools, proprietary threat intelligence, and reusable assessment frameworks are what separate a 9x firm from a 5x firm. If every engagement starts from scratch, buyers see a services treadmill.

How to Maximize Value Before Sale

If you're 18-24 months from a sale, the moves that actually change your multiple are:

Convert project clients to retainers. Even discounted retainer pricing is worth more than full-price project work at exit. A client paying $8,000/month on a continuous testing retainer is worth more than the same client paying $120,000 once a year for a project, even though the annual revenue is nearly identical.

Invest in certifications. If you don't have CREST, start the process. If you don't have a PCI QSA or FedRAMP 3PAO designation and your client base supports it, pursue one. These designations take 9-18 months to obtain and directly translate into multiple expansion.

Document your methodologies. Buyers want to see repeatable playbooks, not tribal knowledge. A 40-page pen testing methodology with templates and deliverable samples is a diligence asset.

Clean up your adjusted EBITDA. Cyber firms are notorious for mixing personal expenses, owner comp, and non-recurring items into the P&L. Get a quality of earnings study done before you go to market so the numbers you present are the numbers buyers accept.

Build a number two. If your COO or head of delivery can run the business without you, buyers will pay a premium and offer a shorter earn-out. If they can't, expect a 3-year retention package tied to revenue targets.

The Bottom Line

Cyber security consulting firms in 2026 trade in a 5x-9x EBITDA band, and the spread between the bottom and the top is entirely about retainer mix, certification depth, and whether the business can run without the founder. The firms I've seen get the best outcomes started preparing 18-24 months before going to market — converting project work to retainers, pursuing the right accreditations, and building a delivery team that doesn't depend on the founder to close deals or run engagements. Run an instant valuation if you want to see where your firm falls in the range today.