Bug bounty platform provider Bugcrowd has agreed to buy Mayhem Security, an automated code security company, for an undisclosed sum. 

Mayhem, spun out of Carnegie Mellon University, has been adopted to secure what it claimed in 2020 are some of the US Department of Defense’s “most critical systems," under an early $45 million contract.

The startup, which has raised $36 million to date, including via a $21 million Series B in 2022, also names Cloudflare and Deloitte as customers. 

Mayhem provides a patented software fuzzing system to spot bugs in code and APIs, and is led by Carnegie Mellon professor-turned-CEO Dr David Brumley, and head of engineering Dr Thanassis Avgerinos.

The acquisition follows Bugcrowd’s 2024 buyout of UK-based attack surface management and penetration testing firm Informer. 

Bugcrowd, which competes with the likes of HackerOne, raised $102 million in strategic growth financing in early 2024. It followed that raise with a $50 million growth capital facility from Silicon Valley Bank in October 2024, to scale its “AI-powered platform” and for “strategic M&A.” 

Mayhem, formerly AllForSecure, provides API security, code security via dynamic and static analysis, and dynamic SBOM products.

Dave Gerry, Bugcrowd’s CEO said in a canned statement, “We're building the industry's first truly adaptive security platform, enabling customers to anticipate, test, and defend at unprecedented scale.” 

The acquisition comes as cybersecurity M&A activity continues to outpace pre-pandemic levels, with strong private equity activity and a pronounced focus on what Capstone Partners describes as AI-focused firms and those playing in the post-quantum cryptography space. 

Security operations specialist Arctic Wolf today said it was acquiring UpSight Security less than a year after the AI-focused ransomware-detection startup raised a $1.08 seed round. The acquisitions today follow the 45 cybersecurity M&A deals announced in Octoboer 2025.

The link has been copied!