Cybersecurity startups can access $250K-$10M+ in non-dilutive funding from 8+ federal programs, including DHS SBIR ($250K Phase I), DARPA I2O BAAs ($500K-$10M+), and NSF SBIR ($305K Phase I). Every agency with a network has a cybersecurity problem, and that translates into more grant opportunities than most founders realize. For cybersecurity startups, the challenge isn't finding programs -- it's choosing the right ones.
This guide maps the full landscape from research-stage SBIR grants to production-ready procurement pathways. Cada Partners has built grant strategies for cybersecurity startups across AI threat detection, zero-trust architecture, and critical infrastructure protection.
What does the cybersecurity grant landscape look like in 2026?
| Program | Agency | Award Amount | Current Status | Best For |
|---|---|---|---|---|
| DHS SBIR Phase I/II | DHS S&T | $250K / $1M | Active (annual) | Homeland security cyber, critical infrastructure |
| DARPA I2O BAAs | DARPA | $500K-$10M+ | Rolling | Breakthrough cyber research, AI for defense |
| DARPA SBIR (cyber topics) | DARPA | $250K / $1.8M | Periodic | Focused cybersecurity R&D problems |
| NSF SBIR | NSF | $305K / $1.25M | Quarterly | Fundamental security technology, privacy tech |
| IARPA BAAs | ODNI/IARPA | $500K-$5M+ | Program-specific | Intelligence community cyber, cryptography |
| AFWERX SBIR | Air Force | $75K / $1.25M | Open Topic continuous | Air Force network defense, operational tech |
| Navy SBIR | Navy | $240-280K / $1.8M | Annual topics | Maritime cyber, shipboard IT/OT security |
| DIU Cyber Portfolio | DIU | $500K-$5M (OTA) | Active CSOs | Commercial cyber products for defense |
| NIST programs | Commerce | Cooperative agreements | Varies | Standards, frameworks, measurement science |
DHS SBIR: the homeland security anchor
DHS Science & Technology Directorate manages the primary SBIR program for homeland security technology, including cybersecurity.
Key details:
- Phase I: $250,000 for 6 months (contracts, not grants)
- Phase II: up to $1,000,000 for 24 months
- Annual solicitation with specific topics
- Administered through DHS S&T's SBIR office
Typical cybersecurity topic areas:
- Critical infrastructure protection (power grid, water systems, transportation)
- Federal civilian network defense
- Identity management and authentication
- Supply chain cybersecurity
- OT/ICS (operational technology / industrial control system) security
- AI/ML for threat detection and incident response
The DHS advantage: Fewer applicants than DoD SBIR, which means less competition. DHS also has a clear procurement pathway -- successful Phase II technologies can be acquired by CISA, CBP, TSA, and other DHS components. Cada often recommends DHS SBIR as a starting point for cybersecurity clients because the lower competition meaningfully improves win probability.
The limitation: DHS topics are narrowly defined around homeland security missions. Pure enterprise cybersecurity (cloud security, endpoint protection, SaaS security) doesn't fit unless you can connect it to a federal civilian or critical infrastructure use case.
DARPA I2O: the most ambitious cyber funder
DARPA's Information Innovation Office is where the most advanced cybersecurity research gets funded. I2O doesn't fund incremental improvements to existing security tools -- it funds fundamental new approaches to computing, security, and information warfare.
I2O research areas relevant to cybersecurity:
- AI for cyber operations -- automated vulnerability discovery, AI-driven defense, adversarial ML
- Software assurance -- formal verification, provably secure software, runtime protection
- Network resilience -- self-healing networks, zero-trust architecture at scale, deception-based defense
- Information integrity -- deepfake detection, disinformation defense, provenance tracking
- Quantum-resistant cryptography -- post-quantum security protocols and implementations
How to engage: DARPA BAAs are posted on SAM.gov. I2O maintains standing BAAs accepting white papers year-round. Email the program manager with a brief description of your approach before submitting.
Award range: $500K-$10M+ for BAA contracts. $250K Phase I for SBIR topics. The BAA path is typically better for cybersecurity startups because the scope is more flexible and the awards are larger.
NSA, IARPA, and the intelligence community
NSA Research Directorate. NSA funds cybersecurity research through several mechanisms, though most are less accessible to startups than SBIR:
- NSA partners with universities through Centers of Academic Excellence (CAE)
- Some NSA-funded research flows through IARPA programs
- NSA occasionally posts research opportunities on SAM.gov
- Engaging NSA typically requires either an existing security clearance or a university partnership
IARPA (Intelligence Advanced Research Projects Activity). IARPA functions like DARPA for the intelligence community. Cybersecurity-relevant programs include:
- Cryptographic research (post-quantum, homomorphic encryption)
- Insider threat detection
- Attribution and forensics
- Signals intelligence analysis automation
IARPA uses BAAs similar to DARPA's process. Awards range from $500K to $5M+. The key difference: IARPA programs are more likely to involve classified work and intelligence community-specific requirements.
For most cybersecurity startups, DARPA I2O and DHS SBIR are more accessible than NSA or IARPA. Consider the intelligence community path only if your technology is specifically relevant to signals intelligence, cryptanalysis, or intelligence collection.
DoD cyber: AFWERX, Navy, and service-specific programs
Every military service branch has cybersecurity needs and SBIR topics:
AFWERX (Air Force). Open Topic accepts cybersecurity submissions year-round. Focus areas: mission assurance, weapon system cybersecurity, operational technology protection, Air Force network defense. $75K Phase I with 90-day decisions.
Navy SBIR. Annual topics covering maritime cybersecurity: shipboard OT/IT convergence, naval fleet cybersecurity, SATCOM security, undersea communications protection. $240-280K Phase I.
Army SBIR. Topics in tactical network defense, soldier device security, and C4ISR protection. $250K Phase I.
Cyber Command. Limited direct SBIR presence, but CYBERCOM operational needs flow into service-branch SBIR topics. If your technology addresses offensive or defensive cyber operations, look for topics mentioning "cyber operations" or "information warfare."
DIU Cyber Portfolio. For commercially mature cybersecurity products that solve DoD network defense problems. OTA prototype agreements ($500K-$5M) with 60-90 day awards. Best for companies with existing commercial customers and a product ready for government deployment.
NIST and CISA: standards and procurement (not grants)
NIST. Doesn't offer SBIR, but funds collaborative research through cooperative agreements and the National Cybersecurity Center of Excellence (NCCoE). If your technology aligns with NIST's cybersecurity framework work (CSF 2.0), privacy framework, or measurement science programs, explore NCCoE partnerships. These aren't grants -- they're collaborative engagements that provide government validation and a path to adoption.
CISA. Primarily funds state and local government cybersecurity through grants (SLCGP). CISA doesn't fund commercial R&D directly. However, CISA's CDM (Continuous Diagnostics and Mitigation) program is a multi-billion-dollar vehicle that procures commercial cybersecurity tools for federal agencies. This is a revenue opportunity, not a grant opportunity. Winning SBIR awards from other agencies can help you get on CDM-approved product lists.
Which program fits your type of cybersecurity startup?
| Your Focus Area | Start Here | Also Consider | Notes |
|---|---|---|---|
| AI/ML for threat detection | DARPA I2O | NSF, DHS SBIR | DARPA for fundamental, DHS for applied |
| Critical infrastructure (OT/ICS) | DHS SBIR | DOE (energy grid), NSF | DHS owns the critical infrastructure mission |
| Cloud / enterprise security | NSF | DHS SBIR, DIU | NSF is broadest; DHS if federal use case |
| Post-quantum cryptography | NSF, DARPA | IARPA, NIST | Active research area across agencies |
| Identity / authentication | DHS SBIR | NSF, NIST (NCCoE) | DHS has specific identity management topics |
| Deception technology | DARPA I2O | AFWERX | DARPA funds novel defense approaches |
| Hardware security / supply chain | DARPA MTO | NSF, DHS | DARPA for chip-level, DHS for supply chain |
| Military network defense | AFWERX, Navy | Army, Cyber Command topics | Service-specific topics |
How does CMMC compliance affect cybersecurity SBIR applications?
If you win DoD SBIR awards or DIU contracts, you'll likely encounter CMMC (Cybersecurity Maturity Model Certification):
- Level 1: Basic cyber hygiene (17 practices). Required for handling Federal Contract Information (FCI). Most SBIR Phase I companies need this.
- Level 2: Advanced security (110 practices aligned with NIST 800-171). Required for handling Controlled Unclassified Information (CUI). Typically required at Phase II or production.
- Level 3: Expert security. Required for critical defense programs. Unlikely for early-stage SBIR.
Ironic but true: Cybersecurity startups must comply with the same cybersecurity standards as any other DoD contractor. Your product may be brilliant, but if your own IT systems don't meet CMMC Level 2, you can't handle CUI data in your Phase II work.
Where should cybersecurity startups start (and in what order)?
- DHS SBIR -- check the annual solicitation for matching topics. Fewer applicants = better odds.
- NSF SBIR -- if your technology has fundamental research merit (novel algorithms, provable security properties).
- DARPA I2O -- if your approach is genuinely breakthrough. Email the PM first.
- AFWERX Open Topic -- if you have a military network defense angle. Fast feedback.
- DIU -- if you have a commercial product ready for government deployment.
For a personalized analysis of which cybersecurity programs fit your specific technology, our Strategy Review maps your startup across all relevant agencies. See also our SBIR guide for startups, agency decision guide, and DARPA BAA guide.