The commercial spyware market is expanding rapidly, with fresh capital accelerating despite mounting policy constraints. A new Atlantic Council report cataloging the ecosystem over three decades finds that investment flows—led by the United States and Israel—are outpacing attempts to curb abuse, widening an “ethics gap” between regulation and finance.
Investment surge and geography of capital
The study tracks 561 organizations across 46 countries (1992–2024) and identifies a broader investor base, adding 34 new investors year over year to reach 128 in total (up from 94). The most significant momentum comes from the United States: in 2024 alone, 20 new US investors entered the space, bringing the US total to 31 and surpassing Israel, Italy, and the United Kingdom.
Where investors cluster—and why it matters
The European Union and Switzerland collectively account for 31 investors, with Italy standing out at 12. Israel, a longstanding development and export hub for surveillance tools, counts 26 investors. Concentration of capital in a few jurisdictions reinforces local technical advantages, supports sustained R&D, and fuels the cross-border export of surveillance capabilities.
US capital and the policy–finance disconnect
The report highlights prominent US investors—including D.E. Shaw & Co., Millennium Management, Jane Street, and Ameriprise Financial—directing funds to Cognyte, an Israeli supplier previously linked by researchers and media to surveillance-related human rights concerns. Another example is the acquisition of Israel’s Paragon Solutions by Florida-based AE Industrial Partners, a firm focused on national security investments.
The analysis underscores a systemic mismatch: financial flows continue to underwrite the same market segments that policymakers seek to restrict. Although the US placed NSO Group and Candiru (now Saito Tech) on the Department of Commerce Entity List in 2021 and issued a 2023 Executive Order limiting US federal use of commercial spyware, the report notes that Saito Tech received funding in 2024 from US-based Integrity Partners. This divergence illustrates how capital can route around policy through complex corporate structures and international finance.
Expanding ecosystem: vendors, resellers, and brokers
Beyond funding volume, the market’s architecture is becoming more intricate. Researchers identified 4 new spyware vendors, 7 new resellers/brokers, 10 new service providers, and 55 newly public actors. Vendors include Israel’s Bindecy and Italy’s SIO. Reseller channels linked to NSO Group involve entities such as Panama-based KBH and Mexico’s Comercializadora de Soluciones Integrales Mecale. Notable service providers include the UK’s Coretech Security and the UAE’s ZeroZenX.
Intermediaries as the pivotal layer
Resellers and brokers play a central yet opaque role: they obscure relationships among suppliers, financiers, and end-buyers, push products into new jurisdictions, and create an extended, low-visibility supply chain. This fragmentation hinders attribution, complicates compliance assessments across the product lifecycle, and diffuses legal accountability.
Cybersecurity and compliance implications for organizations
Rising investment and diversified distribution elevate the risk of misuse—from targeting political opponents and journalists to facilitating cross-border human rights violations, as documented in multiple investigations by entities such as Citizen Lab and Amnesty International. For buyers and investors, this raises the bar for enhanced due diligence, sanctions screening, and scrutiny of jurisdictional arbitrage in corporate structures.
Practical controls include mapping beneficial ownership, validating end-users and use-cases, and requiring contractual clauses that govern export/re-export, lawful intercept compliance, end-use verification, audit rights, and rapid offboarding if abuse indicators emerge. Organizations should demand supply-chain transparency from vendors and intermediaries, implement independent human rights impact assessments, and align procurement with export control requirements and internal risk appetites.
For security leaders, treating commercial spyware as a dual-use technology is essential. Governance programs should combine technical safeguards (telemetry, tamper-evident logging, and misuse detection), legal guardrails (licensing and reporting obligations), and continuous monitoring of resellers and brokers. Boards and LPs should require investment committees to integrate human rights, sanctions, and geopolitical risk into pre-investment screening and ongoing portfolio oversight.
The Atlantic Council’s findings point to a market that is growing, globalizing, and fragmenting. To avoid becoming part of an opaque distribution chain, organizations should set clear transparency standards, bolster accountability mechanisms, and enforce technical and contractual audits across the lifecycle. Aligning capital allocation with robust compliance and human rights due diligence will be critical to balancing innovation, security, and responsible use.
