DealFlow OS
Get started free
Deal Structure Guide · Cybersecurity Consulting

How Cybersecurity Consulting Deals Are Structured in the Lower Middle Market

From seller notes tied to client retention to earnouts based on EBITDA targets, here is how buyers and sellers structure acquisitions of cybersecurity firms with $1M–$5M in revenue.

Cybersecurity consulting acquisitions in the lower middle market typically carry valuations of 4x–7x EBITDA, driven by revenue quality, team certification depth, and the percentage of recurring retainer or managed security service revenue in the mix. Because these businesses often carry meaningful key-man risk — where the founder holds client relationships, certifications, and institutional knowledge — deal structures almost always include mechanisms to keep the seller engaged post-close and protect the buyer if revenue erodes. The three most common structures are cash at close with a seller note tied to client retention, earnouts contingent on post-close EBITDA or revenue performance, and equity rollovers used in private equity-backed roll-up scenarios. SBA 7(a) financing is available and frequently used for individual buyers, provided the business meets underwriting thresholds around EBITDA coverage and contract transferability. Understanding which structure fits your situation — as buyer or seller — depends heavily on revenue mix, client contract terms, team depth, and whether a change-of-control clause exists in key client agreements.

Find Cybersecurity Consulting Businesses For Sale

Cash at Close with Seller Note

The buyer pays the majority of the purchase price at closing in cash, often funded through SBA 7(a) debt or equity, with 10–20% of the total price held back in the form of a seller note. The seller note is typically repaid over 12–24 months and is conditioned on client retention thresholds — for example, 85–90% of trailing twelve-month recurring retainer revenue remaining with the business after the transition. This structure is especially common in SBA-financed deals where lenders require the seller to carry a note as a signal of confidence in the business.

75–90% cash at close, 10–20% seller note over 12–24 months

Pros

  • Seller receives a large cash payment at close, providing immediate liquidity and certainty
  • Aligns seller incentives with a successful client and revenue transition post-closing
  • SBA lenders view seller notes favorably, often making this structure necessary to close SBA-financed deals

Cons

  • Seller bears repayment risk if post-close client attrition is beyond their control, such as a client being acquired or reducing security spending
  • Buyer must negotiate clear, measurable retention metrics tied to retainer contracts rather than total revenue to avoid disputes
  • Note forgiveness triggers and dispute resolution mechanisms must be drafted carefully to prevent post-close litigation

Best for: Individual buyers using SBA financing to acquire a cybersecurity firm where the founder is transitioning out over 12–24 months and retainer revenue concentration is manageable.

Earnout Structure

A portion of the purchase price — typically 20–30% — is deferred and paid only if the business hits defined financial targets after closing. In cybersecurity consulting deals, earnouts are most commonly tied to EBITDA or total revenue performance over a two-year period. Earnouts are used when there is a gap between what a seller believes the business is worth based on pipeline or projected growth and what a buyer is willing to pay based on verified historical performance. They are also used when revenue is concentrated in a small number of clients or when a significant portion of revenue is project-based rather than recurring.

70–80% at close, 20–30% in earnout payments over 24 months

Pros

  • Allows buyer and seller to bridge a valuation gap without the buyer overpaying on day one based on unproven projections
  • Incentivizes the seller to remain engaged and drive growth during the earnout period, which is critical when they hold key client relationships
  • Protects the buyer if projected recurring revenue or new client wins do not materialize post-close

Cons

  • Earnout disputes are among the most common sources of post-acquisition litigation, particularly when EBITDA is affected by post-close integration costs or buyer-driven expense decisions
  • Sellers lose operational control after closing but remain financially exposed to buyer decisions that affect earnout attainment
  • Structuring fair earnout metrics for a cybersecurity firm with lumpy project revenue and variable staffing costs is technically complex

Best for: Deals where the seller is projecting significant near-term growth from a government contract pipeline, a new vCISO service line, or a pending CMMC compliance engagement that a buyer is unwilling to pay for upfront.

Equity Rollover with Private Equity Sponsor

Common in PE-backed roll-up acquisitions, the founder or owner retains 15–25% equity in the acquiring platform or newly formed entity in exchange for a portion of the purchase price. The founder receives a meaningful cash payment at close — the first bite of the apple — while maintaining upside participation in the platform's future exit. This structure is designed to keep technically credentialed founders engaged as the platform scales, which is critical in cybersecurity where client trust, security clearances, and CISSP or CISM credentials are attached to individuals.

75–85% cash at close, 15–25% equity rollover in the acquiring platform

Pros

  • Founder participates in the upside of a larger platform exit, potentially generating a second liquidity event that exceeds the initial sale price
  • Keeps the founder deeply motivated to retain clients, recruit talent, and maintain certifications critical to the platform's competitive positioning
  • PE sponsors benefit from the founder's continued presence, which reduces client attrition risk and preserves the relationships that justify the acquisition multiple

Cons

  • Founder exchanges full liquidity for partial liquidity plus illiquid equity in an entity they do not control, which carries execution and exit timing risk
  • Equity rollover terms, including drag-along rights, tag-along rights, and anti-dilution provisions, are complex and require experienced M&A counsel
  • If the platform underperforms or exits at a lower multiple than projected, the founder's rollover equity may return less than the forgone purchase price at close

Best for: Experienced cybersecurity founders selling to a PE-backed IT services platform executing a roll-up strategy, particularly those with government clearances, CMMC expertise, or a strong team that makes them a platform-level asset rather than a bolt-on acquisition.

Sample Deal Structures

SBA-Financed Individual Buyer Acquiring a Compliance-Focused Cybersecurity Firm

$3,200,000

$2,560,000 SBA 7(a) loan at close (80%), $480,000 buyer equity injection (15%), $160,000 seller note (5%) tied to 85% client retention over 18 months

Seller note bears 6% interest and is forgiven proportionally if retainer revenue drops below 85% of trailing twelve-month baseline due to client-initiated terminations. Seller agrees to a 24-month consulting transition, 3-year non-compete within the firm's primary service geographies, and transfers all client contracts with change-of-control consents obtained prior to close. Business has $640,000 EBITDA, $1.8M in recurring retainer revenue out of $2.8M total, and a team of four CISSP-certified consultants who maintain direct client relationships independent of the founder.

Strategic Acquirer Buying a Penetration Testing Firm with Project-Heavy Revenue

$2,400,000

$1,680,000 cash at close (70%), $720,000 earnout over 24 months contingent on achieving $1.2M EBITDA cumulatively across Year 1 and Year 2 post-close

Earnout measured on EBITDA using pre-close accounting policies with a carve-out excluding any integration costs charged by the acquirer. Seller remains as Director of Offensive Security for 24 months at market compensation. Non-compete applies for 3 years in the geographic market and service lines covered at time of close. Earnout is accelerated in full if the business is sold or merged into another platform within the earnout period. Business has $480,000 trailing EBITDA with 55% project-based penetration testing revenue and a growing managed detection and response retainer base representing $420,000 in annual recurring revenue.

PE Roll-Up Platform Acquiring a vCISO and Healthcare Compliance Firm

$5,600,000

$4,200,000 cash at close (75%), $1,400,000 equity rollover (25%) representing a 12% ownership stake in the acquiring cybersecurity services platform

Rollover equity is subject to standard PE terms including drag-along rights triggered on a majority sponsor exit, tag-along rights protecting the founder on any partial sale, and a 4-year vesting schedule with a 1-year cliff tied to continued employment. Founder joins the platform's executive team as Chief Security Officer. Business generates $800,000 EBITDA on $3.2M revenue, with 68% of revenue from multi-year HIPAA compliance retainers across 22 healthcare clients. No single client exceeds 14% of revenue. Three staff hold CISM or CISSP certifications and maintain independent client relationships, significantly reducing key-man risk.

Negotiation Tips for Cybersecurity Consulting Deals

  • 1Separate recurring retainer revenue from project-based engagements in all financial representations and tie any seller note or earnout exclusively to the recurring retainer base, since project revenue is inherently lumpy and outside the seller's post-close control
  • 2Require change-of-control consents from all clients representing more than 5% of revenue before closing, not as a post-close condition, since clients who discover a sale after the fact are far more likely to terminate than those who are informed and managed through the transition proactively
  • 3For deals with significant key-man risk, structure the seller's post-close consulting or employment agreement separately from the purchase agreement, with compensation tied to active client engagement activities such as quarterly business reviews rather than simply showing up
  • 4If an earnout is part of the deal, define EBITDA for earnout purposes explicitly in the purchase agreement, including which post-close costs the buyer may not charge against the earnout business unit, to prevent disputes over integration overhead, allocated corporate expenses, or above-market management fees
  • 5Buyers financing with SBA 7(a) loans should obtain a business valuation from an SBA-approved valuator early in the process, as lenders will scrutinize revenue quality, contract transferability, and key-man dependency as part of the credit underwriting — not just financial ratios
  • 6Sellers concerned about post-close non-compete restrictions should negotiate carve-outs for teaching, advisory board participation, and any niche verticals not served by the acquiring business at the time of closing, and ensure geographic scope is limited to markets where the business actively operates rather than broadly defined national restrictions

Find Cybersecurity Consulting Businesses For Sale

Pre-screened targets ready for your deal structure — free to join.

Get Deal Flow

Frequently Asked Questions

What is the typical valuation multiple for a cybersecurity consulting firm in the lower middle market?

Cybersecurity consulting firms with $1M–$5M in revenue generally sell for 4x–7x EBITDA. The range is wide because revenue quality matters enormously. A firm generating 60–70% of revenue from multi-year retainer contracts with diversified clients and a team of three or more independently certified consultants will command multiples at the high end of that range. A firm dominated by one-time penetration testing projects, with the founder holding all client relationships personally, will trade at 4x or below — if it trades at all — because buyers must price in the risk of revenue erosion post-close.

Can I use an SBA loan to buy a cybersecurity consulting firm?

Yes. Cybersecurity consulting firms are eligible for SBA 7(a) financing, and individual buyers frequently use SBA loans to fund 75–85% of the purchase price. Lenders will scrutinize the quality of recurring revenue, the transferability of client contracts, and whether the business can service debt without the founder in a billable role. Businesses where the founder accounts for more than 30–40% of billable revenue will face underwriting challenges, and lenders will typically require a seller note of 10–20% as a condition of approval to ensure the seller has skin in the game during the transition period.

How do earnouts work in cybersecurity consulting acquisitions and what triggers disputes?

Earnouts in cybersecurity deals are typically structured over 24 months and tied to EBITDA or total revenue targets. The most common source of disputes arises when the buyer makes post-close decisions — adding corporate overhead, increasing salaries, changing pricing, or redirecting business development resources — that reduce the EBITDA against which the earnout is measured. To protect against this, sellers should negotiate that earnout EBITDA is calculated using pre-close cost structures with explicit carve-outs for any integration-related expenses charged by the acquirer. Having experienced M&A counsel draft the earnout mechanics before signing a letter of intent is essential.

What happens to client contracts when a cybersecurity firm is sold?

Many professional services contracts, including cybersecurity retainer agreements, contain change-of-control clauses that give the client the right to terminate the contract if the firm is sold without their consent. Before closing, buyers should require the seller to identify all contracts with change-of-control provisions and obtain written consents or waivers from those clients. This is especially critical for government clients subject to CMMC or FedRAMP requirements, where contract novation may require agency approval. Failing to address this pre-close can result in immediate post-closing revenue loss that triggers seller note forgiveness disputes or earnout underperformance.

How can a cybersecurity firm seller reduce key-man risk to get a higher valuation?

The most effective steps a seller can take are redistributing client relationship ownership to other team members before going to market, ensuring that two or more staff independently hold CISSP, CISM, or CISM certifications and are recognized by name in client contracts, and documenting standardized delivery methodologies for core services like penetration testing, compliance audits, and incident response. Buyers pay premium multiples for businesses where the founder can step back without client revenue collapsing. If the founder is the only relationship holder, every sophisticated buyer will price that risk into the deal structure through lower upfront cash and larger contingent components.

What is an equity rollover and should a cybersecurity firm seller consider it?

An equity rollover means the seller retains a minority ownership stake — typically 15–25% — in the acquiring platform or entity rather than receiving 100% cash at close. It is most common in private equity-backed roll-up acquisitions. For cybersecurity founders with strong vertically specialized businesses, government clearances, or a platform-quality team, a rollover can be a compelling wealth creation strategy if the PE sponsor has a credible path to a larger exit. The tradeoff is accepting illiquid equity in an entity you no longer control. Sellers should evaluate the sponsor's track record, the platform's existing revenue base, the equity terms including drag-along and anti-dilution provisions, and whether the projected second exit multiple justifies the forgone immediate liquidity.

More Cybersecurity Consulting Guides

Acquire a Cybersecurity Consulting BusinessValuation GuideSBA Loan GuideLOI TemplateDue Diligence

More Deal Structure Guides

Dance StudioData Recovery CompanyDeck & Fence BuilderDemolition CompanyDental PracticeDermatology PracticeDigital Marketing AgencyDistilleryBrowse all deal structure guides →

Start Finding Cybersecurity Consulting Deals Today — Free to Join

Find the right target, structure the deal, and close with confidence.

Create your free account

No credit card required

For Buyers

For Sellers

Free Tools

Platform

DealFlow OS
© 2026 DealFlow OSPrivacy PolicyTerms of Service