Data security and compliance services had an active Q4 2025 through Q1 2026. Four private equity sponsors ran a familiar play, buying or adding to services platforms. One software deal signaled where compliance automation is heading next.
Gryphon Investors took majority control of Fortreum, a FedRAMP 3PAO, in January and added Kovr.AI as its first bolt-on three months later. Inflexion, M/C Partners, and Gemspring Capital each used an existing portfolio company to tuck in a compliance services firm. Meanwhile Paramify closed a $12m Series A led by Louis Bacon’s Moore Strategic Ventures, funding a pivot around FedRAMP 20x, the federal compliance overhaul that went to Phase 2 pilots in December.
Here’s what each deal looks like and what it signals.
Fortreum platform formation + Kovr.AI add-on (January and April 2026)
Category: FedRAMP / cybersecurity compliance services + AI automation
Type: PE Platform
Gryphon Investors made two related investments in FedRAMP compliance services this quarter, 96 days apart. The first, announced January 7, was a majority stake in Fortreum, a Lansdowne, Virginia cybersecurity services firm and FedRAMP 3PAO. The second, announced April 13, was Fortreum’s first bolt-on: Kovr.AI, a one-year-old AI-native compliance platform out of Reston. The pattern: buy a services firm that owns the regulator relationship, then add an automation layer that reduces the manual-document burden on each engagement. Terms weren’t disclosed on either side.
For some background, Fortreum is a cybersecurity compliance services firm founded in 2020 by James Leach (CEO) and Michael Carter (President), both original-cohort FedRAMP 3PAO personnel who’ve worked with the FedRAMP PMO since the program started. The firm does audit, advisory, and technical testing across FedRAMP, CMMC (it’s also a C3PAO), ISO, PCI, SOC, and GovRAMP. Customers are the federal stack: system integrators, agencies, cloud service providers, and federal contractors. Fortreum also built XRAMP, a continuous-validation platform that replaces point-in-time annual assessments with rolling checkpoints. Per Gryphon’s press release, the co-founders retained a significant equity stake in the recap. This is Gryphon’s fifth Technology Solutions & Services platform, joining 3Cloud (since sold to Cognizant), Caylent, NewRocket, and phData. The sponsor manages roughly $10b out of San Francisco with a dedicated Operations Resources Group that’s done this services-scaling motion repeatedly.
Kovr.AI only emerged from stealth in May 2025 with a $3.6m seed from IronGate and Xfund. Co-founders Andrew Black and Sri Iyer (ex-AWS, Gartner, PwC) built an AI-native platform on NIST 800-53, NIST 800-171, and OSCAL with a “build once, map anywhere” architecture, so a single control attestation can satisfy FedRAMP, CMMC 2.0, DOD SRG, NIST CSF 2.0, and GovRAMP simultaneously. The centerpiece is Agent Artemis, an agentic AI running inside a FedRAMP-authorized, Zero Data Retention environment. It’s already deployed at the U.S. Air Force, U.S. Space Force, and Accenture Federal Services. That’s the margin story Gryphon underwrote in January, delivered in April.
IS Partners acquired by Axiom GRC (November 2025)
Category: Compliance audit services
Type: Add-on
IS Partners is a compliance audit services firm, the kind most operators never think about until a customer’s procurement team asks for a SOC 2 report. The Dresher, Pennsylvania shop (founded 2005 by Big Four alumni) runs recurring audits across SOC 1, SOC 2, ISO 27001, HITRUST, HIPAA, PCI DSS, and CMMC for roughly 600 customers in healthcare, SaaS, fintech, and the defense industrial base.
The concrete version: if a healthcare software vendor wants to sell into a hospital, the hospital’s security team usually wants a HITRUST certification. If a defense subcontractor wants to keep DoD work, it needs CMMC certification signed by an authorized C3PAO. IS Partners is both a HITRUST CSF Assessor (since August 2016) and a CMMC C3PAO, so it’s one of a smaller group of firms that can actually issue those reports. That’s a recurring revenue stream with real switching costs, since audit relationships are sticky.
The buyer is Axiom GRC, a London compliance platform that Inflexion (~$16b AUM, founded 1999) carved out of Marlowe plc in May 2024 for £430m. Axiom already runs eight brands covering ISO certification, data privacy, cyber testing, and employment law, serving about 40,000 clients across the UK and EU. IS Partners is Axiom’s fifth add-on since the carve-out and the first US-headquartered one. Two months later Axiom bought Atlanta-based AssurancePoint, another SOC/ISO shop. The logic is straightforward: Axiom had a UK/EU compliance footprint with no real US audit capability, and IS Partners had US customers increasingly selling into Europe and needing GDPR help. Inflexion’s buy-and-build playbook, running on both sides of the ocean.
Lynx Technology Partners acquired by MorganFranklin Cyber (November 2025)
Category: Cybersecurity advisory + managed services
Type: Add-on
Lynx Technology Partners is a New York-based cybersecurity and risk management firm founded in 2009 that sells GRC (governance, risk, and compliance) as a service. The delivery model runs through what Lynx calls a Risk Operations Center, with two service lines: GRCaaS for cybersecurity governance and ERMaaS for enterprise-wide risk. In practice, that means risk assessments, compliance programs mapped to NIST, ISO 27001, HIPAA, PCI, and HITRUST, third-party risk management, penetration testing, and policy development. The firm sits in the regulated end of the market (financial services, pharma, healthcare, energy, and nuclear) and has run full GRC assessments for what it describes as the world’s largest provider of nuclear power plants.
The buyer is itself only ~10 months into its own independent life. MorganFranklin Cyber spun out of Vaco in a January 2025 management buyout backed by M/C Partners. M/C is a Boston-based lower mid-market investor (founded 1986 as a spinout of TA Associates, ~$3.0b raised across nine funds, currently deploying a $350m Fund IX) with a thesis focused on digital infrastructure and technology services. Lynx is the first tuck-in since the MBO.
Lynx founder Aric Perminter joined MorganFranklin Cyber as Managing Director, Client Relations, reporting to the CRO. Beyond the Lynx deal, MorganFranklin Cyber has publicly signaled appetite for more acquisitions, including in Europe and the Middle East.
24By7Security acquired by Amplix (November 2025)
Category: Managed cybersecurity + compliance services
Type: Rollup
Amplix bought 24By7Security on November 18, the 12th bolt-on since Gemspring Capital formed the platform in December 2022. 24By7Security is a cybersecurity and compliance consulting shop based in Coral Springs, Florida, founded in 2013 (originally as HIPAA-HITECH-SOLUTIONS). The firm handles compliance readiness and managed security for healthcare, financial services, manufacturing, and technology customers. They’re a PCI Qualified Security Assessor and a CMMC Registered Practitioner Organization authorized by Cyber AB, which means they walk defense contractors through CMMC certification. Add HIPAA, NIST-CSF, SOC, ISO-27001, and GLBA work, plus vCISO, pen testing, and incident response, and you get a compliance-heavy service menu rather than a pure MSSP.
Amplix is the roll-up Gemspring built out of three New England technology advisors in 2022 (ROI Communications, Blue Front, and allConnex). They now run ~3,500 clients, 200+ employees, and a footprint in 20+ states plus Canada out of Norwood, Massachusetts. The first 11 deals mostly stacked up technology advisory, mobility, and contact center capacity in the Northeast, including InflowCX from Renovus in late 2023 and The Hastings Group for mobile/TEM in May 2025. 24By7Security is the first one that’s unambiguously cybersecurity consulting.
That’s the whole point. Amplix’s existing security story was MSSP and procurement-adjacent. 24By7Security gives them the consultative front end, CISO relationships, framework audits, and CMMC readiness, which they can sell back into a 3,500-account base full of regulated mid-market companies paying Amplix for connectivity and UCaaS but buying compliance work from someone else. It also drops a Florida flag on a platform heavy on New England and New Jersey. Gemspring has ~$5.1b AUM and just closed Growth Solutions II at $1.1b, so there’s runway for more.
Paramify raises $12m Series A led by Moore Strategic Ventures (December 2025)
Category: FedRAMP / compliance automation software
Type: Growth Equity
Paramify, a FedRAMP compliance automation software company, closed a $12m Series A on December 18, 2025, led by Louis Bacon’s Moore Strategic Ventures with participation from Album VC, Next Frontier Capital, and Frazier VC. The Lehi, Utah company was founded in 2022 by Kenny Scott and Tyler Stephens, and had raised a $3.5m seed 16 months earlier. Paramify reports ~4x year-over-year growth, 150+ customers including Cisco, Palo Alto Networks, Elastic, Ramp, and xAI, and coverage of over 20% of the FedRAMP Marketplace.
The backstory is as interesting as the round itself. Paramify started as a documentation automation tool for federal compliance, specifically FedRAMP, CMMC, and DoD authorization packages. Then in March 2025, GSA announced FedRAMP 20x, a ground-up rewrite of the federal authorization process that moved from static Word-doc evidence to continuous, machine-readable validation. Scott’s quote to TechBuzz: “We were in D.C., not sleeping, and then we’re told our entire go-to-market is getting blown up.” Paramify scrapped the roadmap and rebuilt around continuous authorization workflows. Phase 2 pilots launched December 10, 2025, eight days before the round was announced.
Today, the workflow looks something like this. A SaaS vendor wants to sell to a federal agency. Historically that meant 12-to-24 months and $250k-$750k in implementer fees producing NIST-formatted paperwork by hand. Paramify says Filevine, a Utah legal-tech company, used the platform to hit FedRAMP authorization in 8 days. The platform ingests system architecture and control implementations, auto-generates the required documentation, then handles continuous monitoring.
Moore Strategic Ventures is Louis Bacon’s family office, so this is permanent capital without a fund-life clock. The other three participants are Mountain West seed shops in Paramify’s backyard, which keeps the cap table close to home in Lehi.