NetSPI

NetSPI is majority-controlled by KKR following its May 2024 acquisition, with previous sponsor Sunstone Partners and CEO Aaron Shilts retaining minority stakes (per KKR, 2024). Strategic M&A and capital allocation decisions are executed by Shilts and CFO Chad Peterson under a board that includes KKR representatives. The firm has historically grown through sponsor-funded add-on acquisitions, suggesting capital deployment is approved at the board level with management sourcing and negotiating targets.

NetSPI's acquisition pipeline is sourced through a combination of management relationships in the cybersecurity testing community, inbound interest from founder-owned firms seeking liquidity, and sponsor networks at Sunstone and KKR. The five add-ons completed between 2021 and 2023 — Silent Break Security, MQTest, NST Assure, Bishop Fox's consulting division, and nVisium — were all small-to-midsize offensive-security boutiques with established client books. Post-KKR acquisition, the firm has access to that sponsor's broader portfolio for cross-referrals and deal introductions.

NetSPI is a private-equity-backed operating company, not a family office. It was acquired by Sunstone Partners in 2021 and recapitalized by KKR in 2024, with both sponsors holding equity stakes alongside management. There is no known family-office capital in the structure; the firm's growth has been funded entirely by institutional private-equity sponsors executing a buy-and-build thesis in cybersecurity services.

NetSPI does not make fund commitments — it is a cybersecurity services company, not an investment vehicle. Its capital activity consists entirely of corporate M&A: the firm acquires smaller penetration-testing and security-assessment companies and integrates them into its platform. Any institutional investment in NetSPI itself occurs at the sponsor level through KKR's and Sunstone Partners' respective fund structures.

KKR acquired a majority stake in NetSPI from Sunstone Partners in May 2024 (per KKR, 2024). The transaction marked KKR's entry into the offensive-security services sector and placed NetSPI within KKR's portfolio of technology and business-services companies. Sunstone Partners and management retained minority interests. KKR's involvement provides capital for continued acquisition-led growth and access to KKR's portfolio of enterprise clients for cross-selling opportunities.

NetSPI is an operating company, not a fund, and does not co-invest alongside external GPs. The question of co-investment is more relevant to the sponsor level: Sunstone Partners and KKR each made their respective investments in NetSPI through their own institutional fund structures, and both sponsors have historically allowed limited-partner co-investment alongside their fund vehicles on a deal-by-deal basis. NetSPI management itself does not participate in co-investment arrangements.

NetSPI's service model is focused on offensive security — penetration testing, red-teaming, attack surface management, and application security assessments. The firm does not operate in physical security, security staffing, managed-SOC services, or hardware security. Its acquisition strategy has targeted pure-play offensive security consultancies rather than broad-spectrum managed security service providers, suggesting deliberate avoidance of commoditized monitoring and compliance services in favor of high-end testing work.