WAVS Western Acquisition Ventures Corp. - 10-K

Item 1A. Risk Factors

You should carefully consider the risks and uncertainties described below, together with all of the other information included in this Annual Report on Form 10-K and other documents we file with the SEC. The risks and uncertainties described below are those that we have identified as material to our business, but they are not the only risks and uncertainties facing us. Additional risks and uncertainties not currently known to us or that we currently believe are immaterial also may adversely affect our business, financial condition, results of operations and prospects. If any of the following risks actually occur, our business, financial condition, results of operations and prospects could be materially and adversely affected, in which case the trading price of our common stock could decline and you could lose all or part of your investment.

Risks Related to Our Business and Operations

We derive a substantial portion of our revenue from a limited number of contracts and clients, and the loss of any significant contract or client relationship could materially reduce our revenue and profitability.

A significant portion of our revenue is concentrated among a small number of contracts and clients, primarily state and local government agencies including higher education institutions, law enforcement agencies, and municipal transportation authorities. If any significant client were to terminate, reduce the scope of, or fail to renew their contracts with us, or if we were unable to replace expiring contracts with new engagements of comparable scope and value, our revenue could decline significantly. The conclusion of certain key government contracts contributed to a decline in revenue during fiscal year 2025. Our reliance on a concentrated client base means that adverse developments affecting even a single major client—such as a change in that client's leadership, budget priorities, procurement policies, or political environment—could have a disproportionate impact on our financial results.

Our contracts with state and local government agencies are subject to funding risks, including dependence on federal funding that flows through those agencies, which creates uncertainty in our revenue.

While the majority of our contracts are with state and local government entities, many of these clients fund their IT and cybersecurity programs in whole or in part with grants, appropriations, or pass-through funding from the federal government. Federal funding for state and local cybersecurity and IT modernization programs is subject to annual congressional appropriations, continuing resolutions, government shutdowns, executive orders, and shifting policy priorities. Reductions or delays in federal funding—whether resulting from budget cuts, sequestration, the activities of cost-reduction initiatives such as the Department of Government Efficiency ("DOGE"), or changes in the political environment—can cause our state and local government clients to delay procurements, reduce contract scope, or cancel projects entirely. We have experienced, and may continue to experience, delays in contract awards and revenue recognition attributable to disruptions in federal funding flows.

Additionally, state and local governments face their own budgetary pressures, including rising pension obligations, infrastructure costs, and competing spending priorities. Many operate under balanced-budget requirements and may lack the flexibility to sustain IT and cybersecurity spending during periods of fiscal stress. Budget compromises that may be needed for future fiscal years may continue to be extraordinarily difficult given the complicated grassroots political environment, a closely divided Congress, an increasing federal deficit and debt load, and a challenged economy.

Recent and ongoing federal and state government cost-reduction initiatives may reduce demand for our services and disrupt our contracting pipeline.

The current federal administration has undertaken significant cost-reduction initiatives, including through DOGE, that have resulted in broad-based cuts to federal contracts, grants, and agency budgets. These initiatives have directly impacted federal cybersecurity and IT spending, including the termination of contracts at the Cybersecurity and Infrastructure Security Agency ("CISA"), reductions in Federal Risk and Authorization Management Program ("FedRAMP") staffing, and disruptions to interagency cybersecurity coordination. Although our contracts are primarily with state and local governments rather than directly with federal agencies, these federal cost-reduction efforts have had, and may continue to have, cascading effects on our business because many of our state and local clients rely on federal pass-through funding. Federal grant programs that historically supported state and local cybersecurity investments have been reduced or placed under review, creating uncertainty for our clients and slowing their procurement timelines.

Table of Contents

Additionally, approximately half of U.S. states have created or proposed their own state-level efficiency initiatives modeled on the federal DOGE program. These state-level cost-reduction efforts could directly impact our existing contracts and our ability to win new engagements at the state and local level. We have experienced, and expect we may continue to experience, delays in our contracting backlog attributable to these budget disruptions, and we can provide no assurance that these delayed contracts will ultimately convert to revenue. There is also the risk that government clients at any level may choose to perform cybersecurity and IT services in-house rather than contracting with outside providers like us, which would further reduce demand for our services.

The competitive landscape for cybersecurity and IT services is intense, and if we do not continue to innovate we may not remain competitive and our revenue and operating results could suffer.

The market for cybersecurity and IT services provided to government clients is highly competitive and fragmented. We compete with large, well-established defense and IT contractors, each of which has significantly greater financial, technical, and marketing resources, broader name recognition, and larger installed bases of government contracts and clearances. We also compete with specialized cybersecurity firms, cloud service providers, managed security service providers, and smaller niche contractors. Many of our competitors can offer broader service portfolios, more favorable pricing, and greater capacity to absorb the costs of competitive bidding and contract protests.

The cybersecurity landscape is constantly changing with increasing scale, frequency, and organization of attacks, requiring constant improvement and timely innovation. We face the risk that our service offerings may not adequately target our clients’ most-needed solutions, may not be cost-effective, or may not be easy to adopt and use. If our competitors introduce new technologies or services that make our product and service offerings less attractive, or if we are unable to anticipate and respond to changes in the threat landscape and client requirements in a timely manner, our competitive position, revenue, and operating results could be materially adversely affected.

The government contracting process is lengthy, complex, and subject to protest and delay, which makes our revenue difficult to predict.

The process for obtaining new government contracts and task orders is frequently protracted, involving competitive solicitations, multi-step evaluations, and best-value determinations. Contract award decisions may be delayed by funding uncertainties, changes in agency leadership or priorities, or procurement policy changes. Protests by unsuccessful bidders can delay the start of work by months or result in re-competition of the contract entirely. We may spend considerable cost and management time preparing bids and proposals for contracts that we do not win.

Government contracts are also frequently structured as indefinite delivery/indefinite quantity ("IDIQ") contracts, General Services Administration Schedule ("GSA") contracts, or blanket purchase agreements, under which the government is not obligated to order any minimum amount of services. We believe our position as a prime contractor under GSA Schedule contracts and other IDIQ contracts is important to our ability to sell our services, but these vehicles require us to compete for each individual task order rather than having a predictable stream of activity. As a result, our contracted backlog may not be a reliable indicator of future revenue. We also experience seasonality in our revenue, as government procurement cycles tend to accelerate near the end of fiscal years, which can cause quarter-to-quarter fluctuations.

Our government contracts are subject to audit, investigation, modification, and termination by the government, which could result in adverse findings, reduced revenue, or other penalties.

Government contracts are subject to oversight, including audits by government auditors and investigators. Government agencies have the unilateral right to modify, curtail, or terminate our contracts, either for convenience or for cause. If a contract is terminated for convenience, we generally can recover only costs incurred and a reasonable profit on work already performed, but may not recover anticipated profits on unperformed work. If a contract is terminated for cause, we may be required to pay the government for the cost of re-procuring the services, and a termination for cause could harm our reputation and ability to win future contracts.

As a government contractor, we are subject to various laws and regulations governing the formation, administration, and performance of government contracts, including the Federal Acquisition Regulation and its state and local equivalents. Violations of these requirements, including the False Claims Act, could result in civil or criminal penalties, treble damages, contract suspension or debarment, or other remedies that would materially harm our business and reputation. The Department of Justice's Civil Cyber-Fraud Initiative has increased the risk that government contractors may face False Claims Act liability related to cybersecurity compliance, which is particularly relevant given that cybersecurity compliance is itself a core component of our service offerings.

Table of Contents

Our business strategy may impose limitations in our ability to accurately forecast future revenue and operating results.

Our operating results are dependent on a variety of factors, including purchasing patterns of our clients, competitive pricing, debt servicing, and general economic trends. Our revenue and operating results may fluctuate if our sales targets are not met, new service offerings receive poor client response, or client acquisition costs increase due to competition. In addition, our acquisition strategy may impose additional risks to the predictability of our operating results, as revenue streams may be volatile due to the uncertainty in identifying attractive acquisition candidates and our ability to consummate new acquisitions.

Risks Related to Cybersecurity and Technology

A cybersecurity breach or incident affecting our systems, our clients' systems, or our AI-enhanced ARx platform could damage our reputation, expose us to liability, and undermine the market confidence that is fundamental to our business.

As a cybersecurity provider, our reputation depends on the market’s confidence in the security and reliability of our services and technology. A successful cyberattack against our own systems, the systems we manage for clients, or our AI-enhanced ARx cybersecurity platform could compromise sensitive government data, disrupt client operations, expose us to regulatory penalties and litigation, and cause lasting reputational harm. Because we are in the business of protecting our clients against cyber threats, a security failure affecting our own operations would be particularly damaging to our credibility and competitive position.

Cyberattacks are becoming more frequent, more sophisticated, and more difficult to detect. Threat actors—including nation-state actors, organized criminal groups, and insiders—continue to develop new methods of attack, and there can be no assurance that our defensive measures will be sufficient to prevent all breaches. Additionally, our products may contain undetected errors or defects, may falsely detect vulnerabilities or threats that do not actually exist, or may fail to detect vulnerabilities in our customers’ infrastructure, including due to the constantly evolving techniques used by attackers to access or sabotage data. If we fail to update our solutions in a timely or effective manner to respond to these threats, our customers could experience security breaches. We cannot be certain that our insurance coverage will be adequate for data security liabilities actually incurred, or that insurance will continue to be available on economically reasonable terms.

The cybersecurity regulatory environment is rapidly evolving, and our failure to comply with new and changing requirements could result in penalties, loss of contracts, and competitive disadvantage.

Our business is subject to a complex and rapidly changing set of cybersecurity regulations and standards at the federal, state, and local levels. Federal requirements include compliance with NIST (defined below) SP 800-171 for protecting Controlled Unclassified Information, the Cybersecurity Maturity Model Certification ("CMMC") program, FedRAMP authorization requirements for cloud-based solutions, and various agency-specific security requirements. State and local governments are also increasingly adopting their own cybersecurity compliance mandates and vendor security assessment programs.

Both as a cybersecurity provider and as a government contractor, we bear a dual compliance burden: we must maintain our own compliance and must also deliver solutions that enable our clients to achieve and maintain theirs. Changes to regulatory requirements require us to invest in updating our internal systems, processes, and solution offerings. These costs can be substantial and may not be fully recoverable under existing contracts. The SEC's cybersecurity disclosure rules, adopted in 2023, require us to disclose material cybersecurity incidents within four business days, and as a cybersecurity company, any such disclosure would be particularly damaging to our market position.

Our AI-enhanced ARx platform and other technology solutions are at an early stage of market adoption, and there is no assurance that these products will achieve broad commercial acceptance.

We are investing in the development and deployment of our AI-enhanced ARx cybersecurity platform and our Cyber Shield Managed Security Services Platform ("MSSP"). These platforms represent a strategic shift toward higher-margin, technology-driven recurring revenue, but they are at an early stage of market adoption. There is no guarantee that government or commercial clients will adopt these platforms at the scale or pace we anticipate, that the platforms will perform as expected in production environments, or that competitors will not introduce superior alternatives. The development and enhancement of these technology platforms require substantial ongoing investment, and if they fail to achieve meaningful market traction, we may not recover our development costs.

The integration of artificial intelligence into our products and services introduces new categories of risk, including adversarial manipulation of AI models, AI-generated false positives or negatives in threat detection, and the evolving federal and state regulatory landscape governing AI in government operations. Regulatory requirements for AI transparency, bias testing, and explainability are still developing, and future regulations could constrain our product development or require costly modifications to our AI-driven solutions.

Table of Contents

We depend on unaffiliated third-party software in order to provide our solutions and professional services and support our operations.

Significant portions of our services and operations rely on software that is licensed from third-party vendors. The fees associated with these license agreements could increase in future periods, resulting in increased operating expenses. If there are significant changes to the terms and conditions of our license agreements, or if we are unable to renew these license agreements, we may be required to make changes to our vendors or information technology systems that could impact the solutions and services we provide to our clients or the processes we have in place to support our operations.

Risks Related to Our Financial Condition and Capital Structure

Our recurring losses, net working capital deficit, and accumulated deficit have raised substantial doubt regarding our ability to continue as a going concern.

We have had a net working capital deficit and an accumulated deficit resulting from net income incurred during certain periods and from substantial losses during prior periods. In addition, we have had net cash outflows from operating activities, all of which raise substantial doubt about our ability to continue as a going concern. Although we were nominally profitable during certain recent fiscal years, there is no assurance that we will not continue to generate operating losses and consume significant cash resources for the foreseeable future.

Without additional financing, these conditions raise substantial doubt about our ability to continue as a going concern, meaning that we may be unable to continue operations for the foreseeable future or realize assets and discharge liabilities in the ordinary course of operations. If we seek additional financing to fund our business and potential acquisition activities in the future and there remains doubt about our ability to continue as a going concern, investors or other financing sources may be unwilling to provide additional funding on commercially reasonable terms or at all. If we are unable to obtain sufficient funding, our business, prospects, financial condition, and results of operations will be materially and adversely affected, and we may be unable to continue as a going concern. If we are unable to continue as a going concern, we may have to liquidate our assets and may receive less than the value at which those assets are carried on our financial statements; accordingly, it is likely that stockholders will lose all or a part of their investment.

Our level of indebtedness and debt service obligations could adversely affect our financial condition and make it more difficult to fund our operations.

We have significant indebtedness and other liabilities outstanding. This level of indebtedness means that we will need to use a substantial portion of available cash flow to pay interest and principal on existing debt, reducing the amount of money available to finance our operations and other business activities. Our debt level increases our vulnerability to general economic downturns and adverse industry conditions, could limit our flexibility in planning for or reacting to changes in our business, could place us at a competitive disadvantage compared to our competitors that have less debt, and our failure to comply with financial and other restrictive covenants in our debt instruments could result in an event of default that, if not cured or waived, could have a material adverse effect on our business or prospects. Despite the existing level of indebtedness, we and our subsidiaries may incur additional indebtedness, which could further exacerbate these risks.

We will require substantial additional funding in the future, which may not be available to us on acceptable terms, or at all, and, if not so available, may require us to delay, limit, reduce, or cease our operations.

Our operations have consumed substantial amounts of cash since our inception. Our business will require substantial additional capital for implementation of our long-term business plan and development of cybersecurity technology. Our ability to raise additional funds may be adversely impacted by potential worsening global economic conditions and disruptions to the credit and financial markets. We may seek to fund our operations through the sale of additional equity securities, debt financing, and/or strategic collaboration agreements. We cannot be sure that additional financing from any of these sources will be available when needed or that, if available, it will be obtained on favorable terms.

If we raise additional funds by selling shares of our common stock or other equity-linked securities, the ownership interest of our current stockholders will be diluted. We may issue additional shares of Cycurion common stock or other equity securities without stockholder approval in connection with future acquisitions, repayment of outstanding indebtedness, or under the 2025 Equity Incentive Plan. The issuance of additional shares could decrease your proportionate ownership interest, subordinate the rights of holders of common stock if preferred stock is issued with senior rights, or adversely affect the market price of our shares. If we raise additional funds through debt financing, we may have to grant a security interest on our assets, and servicing the interest and principal repayment obligations could divert funds that would otherwise be available to support development of new programs and marketing. If we are unable to raise capital when needed or on acceptable terms, we could be forced to delay, reduce, or eliminate certain service offerings or future marketing efforts, or reduce or discontinue our operations.

Table of Contents

Our allocation of capital to cryptocurrency investments involves speculative risk and may not align with the expectations of our shareholders or clients .

Through our subsidiary, Cycurion Crypto, we have allocated capital from our equity line of credit to acquire Bitcoin and Ethereum as long-term holdings. Cryptocurrency markets are extremely volatile and subject to regulatory uncertainty, technological risks, and market manipulation. The value of our cryptocurrency holdings could decline substantially, and such declines would adversely affect our financial condition and results of operations. Our decision to allocate capital to cryptocurrency rather than to our core cybersecurity operations or working capital needs may be viewed unfavorably by investors, analysts, and government clients. There is no assurance that our cryptocurrency strategy will enhance shareholder value.

Risks Related to Our Growth Strategy and Acquisitions

Our growth strategy depends in part on acquisitions, which involve integration risks, potential liabilities, and the diversion of management's attention, and if we fail to retain existing clients and attract new clients through acquisitions, we may not achieve profitability.

We have completed the acquisition of certain complementary businesses, and we intend to consider additional potential strategic transactions that expand, complement, or otherwise relate to our business. Any business acquisition creates risks such as the need to integrate and manage the acquired business, additional demands on our resources and controls, disruption of our ongoing business, and diversion of management’s attention. The environment for acquisitions in our industry is very competitive and acquisition candidate purchase prices will likely exceed what we would prefer to pay. We may only be able to conduct limited due diligence on an acquired company’s operations or may discover that products or technology acquired were not as capable as we initially assessed. Following an acquisition, we may be subject to unforeseen liabilities arising from the acquired company’s past or present operations that may exceed negotiated warranty and indemnity limitations.

Through acquisition of other service providers, we will also inherit an increasingly larger client base, which creates cross-selling and up-selling opportunities but also requires high-quality service and exemplary client management to retain and grow that base. If our marketing and integration efforts do not materialize, we may lose existing clients or fail to obtain new clients. Integration challenges are particularly acute for a company of our size, as we have limited management bandwidth and financial resources to absorb the complexity of multiple simultaneous integration efforts. Any impairment of goodwill or other intangible assets acquired in an acquisition may materially reduce our earnings.

Our strategic partnerships and international expansion expose us to a range of business risks and uncertainties.

We have entered, and intend to continue to enter, into strategic partnerships with third parties to support our future growth plans, including our partnership with LSV-TECH International Consortium to launch our MSSP Cyber Shield platform in Latin America and our collaboration with NACCHO for public health cybersecurity. Strategic partnerships require significant coordination, and we have invested and will continue to invest significant time, money, and resources to establish and maintain these relationships. There is no assurance that any particular relationship will continue, result in new offerings that we can effectively commercialize, or generate meaningful revenue. International expansion exposes us to risks including unfamiliar regulatory environments, foreign exchange fluctuations, geopolitical instability, and the challenges of establishing brand recognition in new geographies.

Risks Related to Our Human Capital

We rely on personnel with extensive information security expertise, including security-cleared professionals, and the loss of, or our inability to attract and retain, qualified personnel could harm our business.

Our future performance depends upon our ability to attract and retain qualified cybersecurity personnel and the continued contribution of our senior management and other qualified personnel. The information technology consulting and cybersecurity industries have highly competitive labor markets, and there is a well-documented nationwide shortage of qualified cybersecurity professionals. This shortage is particularly acute for personnel who hold government security clearances, as the clearance process is lengthy, expensive, and outside of our control, which constrains our ability to staff contracts and scale our operations rapidly in response to new contract awards.

We compete for talent with larger, better-capitalized firms that can offer higher compensation, more extensive benefits, and broader career advancement opportunities. In order to attract and retain the employees we need, we may need to increase compensation levels, which could adversely affect our operating margins. The loss of the services of our senior management or other key employees for any reason could significantly delay or prevent the achievement of our development and strategic objectives. If any of our executive officers joins a competitor or forms a competing company, we may lose some or all of our customers. We do not maintain key-person life insurance on any of our executive officers.

Table of Contents

Risks Related to Our Securities and Nasdaq Listing

There can be no assurance that our securities will continue to be listed on Nasdaq in the future.

Our common stock is listed on The Nasdaq Global Market and our warrants are listed on The Nasdaq Capital Market. We have received, and may continue to receive, deficiency notices from Nasdaq related to our failure to timely file periodic reports with the SEC and to meet minimum bid price, market value of listed securities, and market value of publicly held shares requirements. Although we are working to regain compliance with all applicable Nasdaq listing rules, there is no guarantee that we will be able to do so within the required time periods or at all.

If our common stock were to be delisted from Nasdaq and become quoted on the over-the-counter market, and if the trading price were below $5.00 per share at the time of delisting, trading in our common stock would be subject to certain rules promulgated under the Exchange Act that require additional disclosure by broker-dealers in connection with trades involving “penny stocks” and impose various sales practice requirements on broker-dealers who sell penny stocks to persons other than established customers and accredited investors. These additional requirements may discourage broker-dealers from effecting transactions in our securities, which could severely limit the market price and liquidity of our common stock. Delisting could also impair our reputation with government clients and partners, who may view our continued listing status as an indicator of financial stability and corporate governance quality, and could trigger defaults or other adverse consequences under our financing agreements.

If we fail to comply with the continued minimum closing bid requirements of the Nasdaq Global Market or other requirements for continued listing, our common stock may be delisted and the price of our common stock and our ability to access the capital markets could be negatively impacted.

Our common stock is listed for trading on the Nasdaq Global Market. We must satisfy Nasdaq continued listing requirements, including, among other things, a minimum closing bid price requirement of $1.00 per share for 30 consecutive business days. If a company’s common stock trades for 30 consecutive business days below the $1.00 minimum closing bid price requirement, Nasdaq will send a deficiency notice to it, advising that it has been afforded a "compliance period" of 180 calendar days to regain compliance with the applicable requirements. Thereafter, if such a company does not regain compliance with the bid price requirement, a second 180-day compliance period may be available.

On October 14, 2025, we received written notice from the Nasdaq Staff that it had determined to commence proceedings to delist our common stock from the Nasdaq Global Market. As previously announced in a Current Report filed with the SEC, on April 15, 2025, the Staff notified us on April 9, 2025 that, for the prior 30 consecutive business days, the closing bid price of our common stock had been below the minimum of $1.00 per share required for continued listing on The Nasdaq Global Market under Nasdaq Listing Rule 5550(a)(2) ("Bid Price Rule"). The notification letter stated that we would be afforded 180 calendar days, or until October 6, 2025, to regain compliance. We did not regain compliance with the Bid Price Rule by October 6, 2025, and the listed security is now subject to delisting from The Nasdaq Global Market. Unless we request an appeal of the Staff's determination by October 21, 2025, trading of our common stock will be scheduled for delisting at the opening of business on October 23, 2025, and Nasdaq intends to file a Form 25-NSE with the SEC, removing the common stock from listing and registration on The Nasdaq Stock Market. On October 20, 2025, the we requested a hearing to appeal the Staff's determination to the Nasdaq Hearings Panel pursuant to the procedures set forth in the Nasdaq Listing Rule 5800 Series. The hearing request will stay the suspension of our securities and the filing of the Form 25-NSE pending the Panel's decision. We received written notice from Nasdaq that the hearing with the Panel was scheduled for November 20, 2025.

On October 27, 2025, we effected the one-for-thirty Reverse Stock Split (as defined below) at the commencement of business. We effected the Reverse Stock Split by filing the Second Amendment to the Second Amended and Restated Certificate of Incorporation with the Secretary of State of the State of Delaware on October 24, 2025. Our shares of common stock began trading on a split-adjusted basis on The Nasdaq Global Market, when the market opened on October 27, 2025, under the existing trading symbol "CYCU" and new CUSIP number 95758L305. As a result of the Reverse Stock Split, every thirty of our issued shares of common stock were combined into one issued share of common stock, without any change to the par value per share and without any change in the total number of authorized shares of common stock. The number of outstanding shares of common stock was reduced from approximately 86,533,435 shares to approximately 2,884,447 shares. No fractional shares were issued in connection with the Reverse Stock Split. Stockholders who otherwise held a fraction of a share of common stock of yours will receive a cash payment (without interest and subject to withholding taxes, as applicable) in lieu thereof at a price equal to that fraction of a share to which the stockholder would otherwise be entitled, multiplied by the closing price of our shares on The Nasdaq Global Market on the trading day immediately preceding the effective date of the Reverse Stock Split.

Table of Contents

On November 11, 2025, we received a letter from Nasdaq stating that Nasdaq has determined that we regained compliance with Nasdaq’s minimum bid price requirement under Listing Rule 5450(a)(1) and that we are now in compliance with The Nasdaq Global Market’s listing requirements. Nasdaq also determined that the previously scheduled hearing with the Panel on November 20, 2025 has been canceled and that our securities will continue to be listed and traded on The Nasdaq Stock Market without interruption.

Despite the implementation of the Reverse Stock Split, and the regained compliance with the Bid Price Rule, there is a risk that our shares of common stock may trade below $1.00 in the future and we could be delisted from Nasdaq, which would adversely impact liquidity of our shares of common stock, potentially result in even lower bid prices for our shares of common stock, and make it more difficult for us to obtain financing through the sale of our shares of common stock.

Following the Reverse Stock Split, the resulting market price of our common stock may not attract new investors, including institutional investors, and may not satisfy the investing requirements of those investors. Consequently, the trading liquidity of our common stock may not improve.

Although we believe that a higher market price of our common stock may help generate greater or broader investor interest, there can be no assurance that the Reverse Stock Split will result in a share price that will attract new investors, including institutional investors. In addition, there can be no assurance that the market price of our common stock will satisfy the investing requirements of those investors. As a result, the trading liquidity of our common stock may not necessarily improve.

A "short squeeze" due to a sudden increase in demand for shares of our common stock that largely exceeds supply and/or focused investor trading in anticipation of a potential short squeeze have led to, and may lead to, extreme price volatility in the price of our common stock.

Investors may purchase shares of our common stock to hedge existing exposure or to speculate on the price of our common stock. Speculation on the price of our common stock may involve long and short exposures. To the extent aggregate short exposure exceeds the number of shares of our common stock available for purchase on the open market, investors with short exposure may have to pay a premium to repurchase shares of our common stock for delivery to lenders of our common stock. Those repurchases may, in turn, dramatically increase the price of shares of our common stock until additional shares of our common stock are available for trading or borrowing. This is often referred to as a "short squeeze." With the recent substantial increase in volume of our shares being traded and trading price, the proportion of our common stock that may be traded in the future by short sellers may increase the likelihood that our common stock will be the target of a short squeeze. A short squeeze and/or focused investor trading in anticipation of a short squeeze have led to, may be currently leading to, and could again lead to volatile price movements in shares of our common stock that may be unrelated or disproportionate to our financial performance or prospects and, once investors purchase the shares of our common stock necessary to cover their short positions, or if investors no longer believe a short squeeze is viable, the price of our common stock may rapidly decline. Investors that purchase shares of our common stock during a short squeeze may lose a significant portion of their investment. Under the circumstances, we caution you against investing in our common stock, unless you are prepared to incur the risk of losing all or a substantial portion of your investment.

Our common stock price may be volatile and as a result you could lose all or part of your investment.

Since our common stock began trading on Nasdaq following our de-SPAC transaction with Western, our stock price has experienced substantial volatility and significant decline. Our stock price may continue to fluctuate significantly in response to a variety of factors, many of which are beyond our control, including: the inability to maintain the listing of our securities on Nasdaq; the inability to recognize the anticipated benefits of the de-SPAC transaction; decline in demand for, or the sale of a substantial number of, our shares of common stock; risks relating to the uncertainty of our projected financial information and downward revisions in analysts' estimates; technological innovations by competitors; changes in applicable laws or regulations; general economic trends; and broad market and industry factors unrelated or disproportionate to our operating performance. The thin trading volume in our shares may exacerbate price volatility and limit investors' ability to buy or sell shares at desired prices.

Volatility in the price of our common stock may subject us to securities litigation, which could cause us to incur significant expense, hinder execution of business and growth strategy and impact our stock price.

In the past, plaintiffs have often initiated securities class action litigation against a company following periods of volatility in the market price of its securities. Stockholder activism, which could take many forms or arise in a variety of situations, has been increasing recently. We may in the future be the target of similar litigation or activism. Securities litigation could result in substantial costs and liabilities and could divert management's attention and resources regardless of the outcome. Additionally, such securities litigation and stockholder activism could adversely affect our relationships with service providers and make it more difficult to attract and retain qualified personnel.

Table of Contents

Potential future sales pursuant to registration rights and under Rule 144 may depress the market price for our shares of common stock.

We have granted a number of our stockholders registration rights with respect to their shares of common stock. Such future sales by our existing stockholders pursuant to any registration statement, as well as sales by stockholders eligible to sell under Rule 144 under the Securities Act, may have a depressive effect on the market price of our shares. A significant number of our currently outstanding shares held by existing stockholders, including officers, directors, and principal stockholders, are currently or will become eligible for resale, and the possible sale of these shares could further depress the price of our shares in the applicable trading marketplace.

Future offerings of debt or preferred equity securities could adversely affect the market price of our common stock.

In the future, we may attempt to increase our capital resources by making additional offerings of debt or preferred equity securities. Upon liquidation, holders of our debt securities and shares of preferred stock and lenders with respect to other borrowings would receive distributions of our available assets prior to the holders of our common stock. Any preferred stock we may issue could have a preference on liquidating distributions or distribution payments that could limit our ability to make distributions to common stockholders. Since our decision to issue securities in any future offering will depend on market conditions and other factors beyond our control, we cannot predict the amount, timing or nature of our future offerings, and our stockholders bear the risk that future offerings may reduce the market price of our common stock.

You may experience immediate and substantial dilution as a result of an offering by us and any future offering and may experience additional dilution in the future.

In the future, your percentage ownership in our company may be diluted because of equity issuances for warrant exercises, conversion of promissory notes, acquisitions, strategic investments, capital market transactions, or otherwise, including equity compensation awards that we grant to our directors, officers and employees. The issuance and resale of additional shares of common stock or other securities in any future registration statement may cause substantial dilution of your ownership interest in our securities.

The future issuance of any such additional shares of common stock may create downward pressure on the trading price of our common stock. There can be no assurance that we will not be required to issue additional shares, warrants or other convertible securities in the future in conjunction with any capital raising efforts, including at a price (or exercise prices) below the price at which shares of our common stock are currently traded at such time.

Risks Related to Legal, Regulatory, and Compliance Matters

If we fail to maintain proper and effective internal control over financial reporting, our ability to produce accurate and timely financial statements could be impaired, which could harm our operating results, investors' views of us, and the value of our common stock.

Pursuant to Section 404 of the Sarbanes-Oxley Act, our management is required to report upon the effectiveness of our internal control over financial reporting. When and if we are a "large accelerated filer" or an "accelerated filer" and are no longer an "emerging growth company" or "smaller reporting company," our independent registered public accounting firm will be required to attest to the effectiveness of our internal control over financial reporting. However, for so long as we remain an emerging growth company or smaller reporting company, we intend to take advantage of an exemption from these auditor attestation requirements.

The rules governing management’s assessment of internal control over financial reporting are complex and require significant expenses, documentation, testing, and possible remediation. If we or, if required, our auditors are unable to conclude that our internal control over financial reporting is effective, investors may lose confidence in our financial reporting, the trading price of our common stock may decline, and our ability to obtain additional financing, especially on favorable terms, could be adversely affected. Any identified material weakness in our internal controls could affect our ability to provide reliable financial statements and our business decision-making process, and could result in investigations or sanctions by regulatory authorities.

As a provider of cybersecurity services to government clients, we are subject to heightened data protection obligations, and any compliance failure could result in significant penalties and loss of client trust.

We handle sensitive government data in the course of providing cybersecurity and IT services to our government clients. We are subject to numerous federal, state, and local laws and regulations governing the collection, use, storage, transmission, and protection of such data. Many federal, state, and foreign governments have enacted laws requiring companies to notify individuals of data security breaches involving their personal data, and any association of us with such breaches may cause our customers to lose confidence in the effectiveness of our security solutions. Our failure to comply with these requirements could result in regulatory penalties, contract termination, litigation, and severe reputational damage.

Table of Contents

The Financial Industry Regulatory Authority, Inc. ("FINRA") has adopted sales practice requirements that may also limit a stockholder's ability to buy and sell our common stock.

FINRA has adopted rules that require that, in recommending an investment to a customer, a broker-dealer must have reasonable grounds for believing that the investment is suitable for that customer. Prior to recommending speculative low-priced securities to their non-institutional customers, broker-dealers must make reasonable efforts to obtain information about the customer's financial status, tax status, investment objectives and other information. Under interpretations of these rules, FINRA believes that there is a high probability that speculative, low-priced securities will not be suitable for at least some customers. FINRA requirements make it more difficult for broker-dealers to recommend that their customers buy our shares of common stock, which may limit your ability to buy and sell our stock and have an adverse effect on the market for our shares of common stock.

Changes in government contracting regulations, procurement preferences, or small business set-aside policies could reduce our contract opportunities.

The government contracting environment is subject to frequent legislative and regulatory changes. Changes to Federal Acqusition Regulation provisions, state procurement codes, small business set-aside programs, and best-value evaluation criteria could alter the competitive dynamics of our markets in ways that are difficult to predict. The current administration’s initiative to overhaul the Federal Acquisition Regulation (described as "FAR 2.0") represents the first major restructuring of federal procurement rules in approximately forty years and could introduce new requirements or change evaluation standards that affect our competitiveness. At the state and local level, procurement reforms, vendor consolidation initiatives, and changes to cooperative purchasing arrangements could similarly affect our contract pipeline.

Accusations of intellectual property infringement by third parties, regardless of accuracy, could result in significant costs and harm our business.

We cannot ensure that our professional services and solutions, or the third-party solutions that we offer to our clients, do not infringe on the intellectual property rights of third parties. Infringement claims, even if without merit, can be time-consuming and costly to defend, injure our reputation, and divert management’s attention and resources away from our business. If we are required to enter into royalty or licensing agreements on less-than-favorable terms or to modify our offerings, our ability to compete effectively could be impaired.

Our insurance policies may not adequately protect us from all business risks, leaving us exposed to significant uninsured liabilities.

We carry insurance for most categories of risk that our business may encounter; however, we may not have adequate levels of coverage. We may not be able to maintain existing insurance at current or adequate levels of coverage. Any significant uninsured liability may require us to pay substantial amounts, which would adversely affect our cash position and results of operations.

Anti-takeover provisions contained in our charter and bylaws, as well as provisions of Delaware law, could impair a takeover attempt.

Our charter contains provisions that may discourage unsolicited takeover proposals that stockholders may consider to be in their best interests. We are also subject to anti-takeover provisions under Delaware law, which could delay or prevent a change of control. Together, these provisions may make more difficult the removal of management and may discourage transactions that otherwise could involve payment of a premium over prevailing market prices. These provisions include no cumulative voting in the election of directors, the right of our board of directors (the "Board") to fill vacancies, and a prohibition on stockholder action by written consent.

Our charter also provides that the Court of Chancery of the State of Delaware will be the exclusive forum for substantially all disputes between us and our stockholders (subject to limited exceptions), and that the federal district courts of the United States will be the sole forum for Securities Act claims. This choice of forum provision may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable, which may discourage certain lawsuits and increase the costs of litigating claims.

Table of Contents

Risks Related to Operating as a Public Company

Our historical management team has limited experience managing a public company, and we may incur significantly increased costs as a result of operating as a public company.

Our historical management team members have limited experience managing a publicly traded company, interacting with public company investors, and complying with the increasingly complex laws, rules and regulations that govern public companies. As a public company, we are subject to significant obligations relating to reporting, procedures and internal controls, and our management team may not successfully or efficiently manage such obligations, which could divert attention from the day-to-day management of our business.

We incur significant costs related to legal, accounting, listing, hiring of external consultants and advisors, and other expenses of being a public company. We are subject to the reporting requirements of the Exchange Act and must comply with the applicable requirements of the Sarbanes-Oxley Act, the Dodd-Frank Act, and SEC and Nasdaq rules, including the establishment and maintenance of effective disclosure and financial controls. We expect that compliance with these requirements will continue to increase our legal and financial compliance costs. Additionally, operating as a public company makes it more expensive to obtain director and officer liability insurance, which could also make it more difficult to attract and retain qualified people to serve on our Board or as executive officers.

We qualify as an "emerging growth company" and a "smaller reporting company," and if we take advantage of certain exemptions from disclosure requirements, it could make our securities less attractive to investors.

We qualify as an "emerging growth company" as defined in the Securities Act, as modified by the JOBS Act, and are eligible to take advantage of certain exemptions from various reporting requirements, including the auditor attestation requirements under Section 404(b) of the Sarbanes-Oxley Act, say-on-pay voting requirements, and reduced executive compensation disclosure obligations. Even after we no longer qualify as an emerging growth company, we may still qualify as a "smaller reporting company," which would allow many of the same exemptions. We have elected not to opt out of the extended transition period for complying with new or revised accounting standards. Investors may find our common stock less attractive because we rely on these exemptions, which may result in a less active trading market and more volatile stock price.

Risks Related to Taxation

Unanticipated changes in effective tax rates or adverse outcomes resulting from examination of our income or other tax returns could adversely affect our results of operations and financial condition.

We may be subject to taxes by the U.S. and foreign tax authorities. Our future effective tax rates could be subject to volatility or adversely affected by a number of factors, including allocation of expenses to and among different jurisdictions, changes in the valuation of our deferred tax assets and liabilities, the expected timing and amount of the release of any tax valuation allowances, tax effects of stock-based compensation, costs related to intercompany restructurings, changes in tax laws, treaties, regulations, or interpretations thereof, and lower than anticipated future earnings in jurisdictions where we have lower statutory tax rates. In addition, we may be subject to audits of our income, sales and other taxes by taxing authorities, and outcomes from these audits could have an adverse effect on our operating results and financial condition.

Changes in tax laws or regulations that are applied adversely to us or our customers may materially adversely affect our business, prospects, financial condition and operating results.

New income, sales, use or other tax laws, statutes, rules, regulations or ordinances could be enacted at any time, or interpreted, changed, modified or applied adversely to us or our customers. For example, the One Big Beautiful Bill Act ("OBBBA"), enacted on July 4, 2025, significantly changed the U.S. tax landscape by implementing revisions to key business tax provisions, including the reinstatement of bonus depreciation deductions, the restoration of earnings before interest, tax, depreciation and amortization ("EBITDA")-based business interest expense limitations, expanded rules related to deductibility of executive compensation, and changes relating to the computation of certain taxes in respect of non-U.S. activities. The long-term effects of OBBBA on our results of operations and cash flows remain uncertain and could be significant. Additionally, the Organization for Economic Cooperation and Development has announced the "Pillar Two" accord to set a minimum global corporate tax rate, which is being or may be implemented in many jurisdictions. If countries amend their tax laws to adopt all or part of the OECD guidelines, this may increase tax uncertainty and increase our tax obligations. To the extent that any changes in tax laws have a negative impact on us, our suppliers, or our customers, these changes may materially and adversely affect our business.

Table of Contents

Our ability to use certain tax attributes may be or become subject to limitation.

Generally, U.S. federal net operating losses may be carried forward indefinitely and may offset up to 80% of taxable income in each year. However, our ability to use federal NOL carryforwards and certain other tax attributes to offset future taxable income may be limited. Our ability to use these tax attributes depends on many factors, including future taxable income, the timing of which is uncertain. In addition, our ability to use NOL carryforwards and other tax attributes may be subject to significant limitations under Section 382 of the Internal Revenue Code of 1986, as amended, and corresponding provisions of state tax law.

General Risk Factors

Macroeconomic conditions, including inflation, rising interest rates, and economic uncertainty, could adversely affect our business, our clients’ budgets, and our cost structure.

Our business and operating results are sensitive to general macroeconomic conditions. Periods of economic slowdown, recession, or heightened uncertainty may cause government customers to reduce, delay, or reprioritize spending on IT and cybersecurity services, which could result in the reduced demand for our solutions, longer sales cycles, or delays in contract awards and renewals. In addition, inflation has increased, and may continue to increase, our operating costs, particularly labor costs, which represent the largest component of our cost of revenue. Our ability to offset such increases through price adjustments may be limited under existing contracts or competitive market conditions. Rising interest rates may also increase our borrowing costs, reduce access to capital, or place additional pressure on our liquidity. These macroeconomic factors, individually or collectively, could materially adversely affect our revenue, margins, cash flows, and overall financial performance.

If securities or industry analysts do not publish research or reports about us, or publish negative reports, our share price and trading volume could decline.

The trading market for our common stock depends in part on the research reports and opinions published by securities or industry analysts. We do not have any control over whether analysts initiate, maintain, or discontinue coverage of our Company, nor over the content of any reports they publish. If analysts do not publish research about us, the market price and trading volume of our common stock could decline. In addition, if our financial or operating performance fails to meet analysts' expectations or published estimates, our stock price could experience increased volatility or a sustained decline, and our visibility in the public markets could be reduced.

Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations

This Management's Discussion and Analysis of Financial Condition and Results of Operations should be read together with our audited consolidated financial statements and the related notes thereto for the fiscal years ended December 31, 2025 and 2024, included in Item 8. Financial Statements and Supplementary Data.

The discussion below contains management's comments on our business strategy and outlook, and such discussions contain forward-looking statements. These forward-looking statements reflect the expectations, beliefs, plans, and objectives of management about future financial performance and assumptions underlying management's judgment concerning the matters discussed, and accordingly involve estimates, assumptions, judgments, and uncertainties. Our actual results could differ materially from those discussed in the forward-looking statements, and the discussion below is not necessarily indicative of future results. Factors that could cause or contribute to any differences include, but are not limited to, those discussed below and elsewhere in this Annual Report on Form 10-K, particularly in "Item 1A. Risk Factors" and in "Special Note Regarding Forward-Looking Statements" at the beginning of this Form 10-K.

General and Business Overview

We were originally incorporated as KAE Holdings, Inc., under the laws of the State of Delaware in 2017, with the purpose of acquiring and holding operating entities in the cybersecurity industry. On July 14, 2020, we changed our corporate name from KAE Holdings, Inc. to Cyber Secure Solutions, Inc., and, on February 24, 2021, to Cycurion, Inc.

We have two first-tier wholly-owned subsidiaries, Cycurion Sub, Inc. (formerly Cycurion, Inc., until February 14, 2025) and Cycurion Crypto, a Delaware corporation formed in July 2025, and three indirectly wholly-owned second-tier subsidiaries: (i) Axxum, a Virginia limited liability company formed in December 2006, (ii) Cloudburst, a Virginia limited liability company formed in January 2007, and (iii) Cycurion Innovation, Inc., a Delaware corporation formed in September 2021, in connection with our acquisition of assets from Sabres, a leading Israeli-based cybersecurity provider.

We deliver high-quality, cybersecurity solutions to federal government civilian, defense, and judiciary agencies in addition to commercial clients across a variety of industries. We, through our operating subsidiaries and strategic partnerships, have numerous prime and subcontracts with key government agencies. Our growth engine is driven by organic business solutions and strategic acquisitions of cyber/ infrastructure service providers.

Our Subsidiaries

Cycurion Sub, Inc.

We own our operating subsidiaries through Cycurion Sub., Inc., a Delaware corporation that, until the closing date of the de-SPAC, was known as "Cycurion, Inc." We continue to conduct our business through the three below-described entities, which are now indirectly wholly-owned second-tier subsidiaries by virtue of the recent closing of the de-SPAC transaction.

Cycurion Crypto Inc.

Our direct wholly-owned subsidiary, Cycurion Crypto, a Delaware corporation, was formed in July 2025 as part of our strategic initiative to position the Company within the expanding digital asset ecosystem and will manage a crypto treasury.

Axxum Technologies LLC

Organized in the Commonwealth of Virginia on December 29, 2006, Axxum is a cybersecurity provider with successful assignments within the multiple sub-agencies of the Department of Homeland Security. We acquired Axxum in November 2017. Following the acquisition, we continued Axxum's core operations of providing contractor services to its existing federal government customer base while leveraging our existing processes and tools to expand its commercial footprint.

Cloudburst Security LLC

Cloudburst is a cybersecurity provider with successful assignments within highly sensitive government agencies and other commercial organizations. We acquired Cloudburst in April 2019. Following the acquisition, we continued Cloudburst’s core operations of providing mission-critical and highly sensitive government agencies and other commercial organizations with high-quality, innovative cybersecurity services. Cloudburst focuses on providing tailored solutions that leverage the industry's best minds and technologies to predict, protect, detect, respond, and sustain our clients from the latest evolving cyber threats.

Table of Contents

Cycurion Innovation, Inc.

Cycurion Innovation, Inc. was formed in connection with our acquisition of assets from Sabres, a leading Israeli-based cybersecurity provider. It operates our Cycurion Security Platform’s line of products allows our customers to improve their cyber posture with its MDP SaaS platform. This platform efficiently bundles and easily implements the external protection of a WAF and the internal protection of Bot Mitigation. Bot Mitigation is the reduction of risk to applications, Application Program Interfaces ("APIs"), and backend services from malicious bot traffic that fuels common automated attacks, such as DoS campaigns and vulnerability probing. The costs of single-layer security can be measured in terms of money, time, and risk, as well as the damage wrought by a data breach, which millions of businesses experience each year. Through this interaction of the WAF and Bot Mitigation, the MDP is able to reinforce these layers of security and generate new security layers in real time in response to emerging threats. This process is directed by our Cycurion Security Platform's proprietary, cloud-based AI algorithm. Crucially, the AI underpinning the MDP platform is constantly evolving to counter new threats. Through a crowdsourcing process, the cloud-based MDP learns from every threat to any protected application and uses that newly acquired knowledge to protect all MDP clients better.

Master Service Agreement with SLG Innovation, Inc.

The SLG team has an average of over 25 years of experience in the development, planning, implementation, and management of information systems. SLG's leadership team offers years of combined success in answering the needs of government agencies and healthcare organizations across the country.

The SLG team has worked nationally, as it has served over 25 Department of Health and Human Services agencies, all 50 state governments, and over 250 local governments. Since SLG's inception, it has primarily focused on customers in the middle of the country. The team of professionals has successfully delivered information technology, project management, and subject matter services to key health and human service projects, including, but not limited to, state Medicaid programs in Illinois, Indiana, Nebraska, and Tennessee, the Indiana Division of Aging, Illinois Early Intervention, the University of Illinois Division of Specialized Care for Children, the Multiple Myeloma Research Foundation, and many more.

We established a subcontractor — prime contractor relationship with SLG in the fall of 2019, where we serviced several government agencies and commercial customers, State of New Mexico, Cognizant, KPMG, and the University of Illinois in support of SLG. Axxum Technologies and SLG Innovation that relationship in 2020. A subcontractor offers its specialized services to a prime contractor. Unlike prime contractors, who focus on the managerial side of the government contract, subcontractors tend to dedicate their efforts to lending subject matter expertise and delivery of service to the project. Technically strong subcontractors, along with a strong subcontractor plan are essential to boost the success of a project.

As a result of the strong technical skills and experience of the cyber teams at Cycurion and its subsidiaries, SLG Innovation entered into a Master Services Agreement ("MSA") with Axxum Technologies to provide services to SLG customers. The MSA is task order driven and the number of task orders is modified periodically depending on actual customer requirements for IT and cybersecurity services. Over the last three years, Axxum Technologies has assisted SLG Innovation in growing its revenue and customer base. As a result, SLG Innovation now represents a majority of Cycurion revenues.

RCR Acquisition Agreement

RCR Technology Corporation ("RCR") performs certain services for SLG in its role as an SLG subcontractor and, in that context, became a creditor of SLG. In connection with the transactions contemplated by the term sheet with SLG (the "SLG Term Sheet"), on April 25, 2023, Cycurion Sub and RCR also entered into a term sheet (the "RCR Term Sheet") for a distinct, but related transaction. The RCR Term Sheet contemplates a transaction, pursuant to which RCR will sell to Cycurion all of the accounts receivable of SLG in favor of RCR (but for those accounts that are less than 90 days old as of the date of consummation of the contemplated transaction). The consummation of the transactions contemplated by the RCR Term Sheet is contingent upon the consummation of the transactions contemplated by the SLG Term Sheet. We consummated the transactions contemplated by the RCR Term Sheet on September 25, 2025. Cycurion issued 248,006 shares of common stock to RCR as a result of the consummation of the transaction contemplated by the RCR Term Sheet pursuant to the Securities Purchase Agreement, dated September 25, 2025.

The foregoing brief summary description of certain terms and provisions of the RCR Term Sheet does not purport to be complete and is qualified in its entirety by reference to the full text of the RCR Term Sheet, a copy of which is filed as an exhibit to this Annual Report on Form 10-K as Exhibit 10.13 and the full text of the RCR Term Sheet amendments, a copy of each of which are filed as an exhibit to this Annual Report on Form 10-K as Exhibit 10.13a, 10.13b, 10.13c and 10.13d. Readers are encouraged to read those Exhibits in full for a more comprehensive understanding of the transaction contemplated by the RCR Term Sheet.

Table of Contents

Acquisition of Technology

On September 30, 2021, we acquired certain technology assets of Sabres, a leading Israeli-based cybersecurity provider. As part of the asset purchase agreement, we acquired Multi-Dimensional Protection ("MDP"), WAF and Bot Mitigation SaaS platforms, and their associated intellectual property.

Our Cycurion Security Platform's (formerly Sabres') line of products allows our customers to improve their cyber posture with its MDP SaaS platform. This platform efficiently bundles and easily implements the external protection of a WAF and the internal protection of Bot Mitigation. Bot Mitigation is the reduction of risk to applications, APIs, and backend services from malicious bot traffic that fuels common automated attacks, such as DoS campaigns and vulnerability probing. The costs of single-layer security can be measured in terms of money, time, and risk, as well as the damage wrought by a data breach, which millions of businesses experience each year. Through this interaction of the WAF and Bot Mitigation, the MDP is able to reinforce these layers of security and generate new security layers in real time in response to emerging threats. This process is directed by our Cycurion Security Platform's (formerly Sabres') proprietary, cloud-based AI algorithm. We do not have AI processing in the production version of the software. That version is in the testing and evaluation phase. Crucially, the AI underpinning the MDP platform is constantly evolving to counter new threats. Through a crowdsourcing process, the cloud-based MDP learns from every threat to any protected application and uses that newly acquired knowledge to protect all MDP clients better.

Our Cycurion Security Platform's (formerly Sabres') line of products provides solutions for substantially all web application security needs. These products provide solutions, whether a client is in need of a web application firewall to comply with regulations and ensure it has a first line of defense against the hazards that the internet can present or is in need of enterprise-level products that empower SOC teams and security management. Our Cycurion Security Platform's constantly survey a client's data to detect security issues in need of attention, send automatic updates, and provide the client with a complete database of rules and threats.

We have integrated the technology assets that we acquired from Sabres (which now constitutes our Cycurion Security Platform) into our Managed Security Services Practice. We believe that the platform will enhance our service offerings and assist with the expansion of our commercial business. Our dedicated support team will manage the Sabres platform, provide real time reporting, response to security incidents, and will manage all data privacy needs from a single security information and event management SaaS platform dashboard.

Table of Contents

Financial Overview

A number of factors have contributed to our fiscal year 2025 results of operations, the most significant of which are described below. More details on these changes are presented below within our "Results of Operations" section.

• The execution of the SLG Innovation Inc. transaction.

• The completion of the business combination with Western Acquisition Ventures Corp.

Results of Operations

Table MD&A 1: Consolidated Results of Operations

For the Year Ended December 31,

Net revenues

Cost of revenues

Gross profit

Gross profit percentage

Operating expenses:

Selling, general and administrative expenses

Stock compensation expenses

Business combination expenses

Total operating expenses

Operating (loss)/income

Interest income

Interest expense

Gain on debt settlement, net

Other (expense)/income

Other expense, net

(Loss)/income before income taxes

Provision for income tax

Net (loss)/income

Less: Net loss attributable to non-controlling interest

Net (loss)/income attributable to Cycurion

Revenue

Revenues for the year ended December 31, 2025 decreased $2.6 or 14.8% compared to the year ended December 31, 2024. We attribute this decrease in the revenues in 2025 compared to 2024 to delayed start dates of new federal, state and local contracts and the company’s focus on more profitable business.

Cost of revenues

The cost of revenue for the year ended December 31, 2025, was approximately $13.5 million, compared to $14.1 million for the year ended December 31, 2024. The cost of revenue is driven by the costs incurred while delivering services to our customers, therefore the decrease in costs is due to the decrease in revenues.

Selling, general and administrative expenses

Our selling, general and administrative ("SG&A") expenses increased in 2025 compared to 2024 due to additional expenses being recognized in 2025 due to increased costs associated with being a publicly traded company and the addition key individuals for the company's growth strategy.

Table of Contents

Stock compensation expenses

Stock compensation expenses increased in 2025 compared to 2024 as a result of new compensation agreements with executives.

Business combination expenses

Business combination expenses in 2025 are a result of the business combination with Western.

Interest income

Interest income was $27,538 and $20,211 for the year ended December 31, 2025 and 2024, respectively. The change in interest income is a result of the balance of the underlying interesting earning assets.

Interest expense

Interest expense for the year ended December 31, 2025 and 2024, was $1.8 million and $1.2 million, respectively. The change in interest expense is a result of the underlying debt instruments. For further information refer to debt footnotes.

Gain on debt settlement, net

The $1.2 million gain on debt settlement, net for the year ended December 31, 2025 is the result of the conversion of debt to various equity instruments at a lower fair market value than the exchanged debt on the books.

Liquidity and Capital Resources

Our primary sources of liquidity are cash on hand, cash from operations, borrowings under our debt financing arrangements and equity raises through our equity line. As of December 31, 2025, we had $5.3 million in cash and cash equivalents. We believe that our current cash position, access to the capital markets and cash flow generated from operations should be sufficient for our operating requirements through the next several fiscal years.

Cash Flow

Table MD&A 2: Net Changes in Cash and Cash Equivalents

For the Year Ended December 31,

Net cash used in operating activities

Net cash provided by/(used in) investing activities

Net cash provided by financing activities

Net increase/(decrease) in cash and cash equivalents

Net Cash Used In Operating Activities

For the year ended December 31, 2025, net cash used by operating activities was $12.1 million, compared to $1.4 million for the year ended December 31, 2024. The main drivers of this increase are the additional merger expenses incurred in 2025 and the additional corporate level costs to build out a management team and brand for organic growth and acquisitions.

Net Cash Provided By/(Used In) Investing Activities

For the year ended December 31, 2025, net cash provided in investing activities was approximately $1.4 million, compared to a $0.9 million use of cash for the year ended December 31, 2024. The cash inflow in 2025 was a result of the Trust Account (as defined below) for redemption and cash released from the Trust Account to the Company.

Table of Contents

Net Cash Provided by Financing Activities

For the year ended December 31, 2025, net cash provided by financing activities was $15.9 million. The net cash provided includes $7.0 million in proceeds from the equity line of credit, $4.8 million of proceeds from the private placement capital raise in December 2025, $3.7 million proceeds provided from the exercise of warrants, $2.4 million in proceeds from convertible notes payable, $0.5 million in proceeds provided from notes payable, partially offset by a cash outflow of $1.0 million cash used in redemption of common stock.

For the year ended December 31, 2024, net cash provided by financing activities was $1.7 million. The Company received $1.0 million from a private placement.

Going Concern

We have incurred operating losses since inception through the period ended December 31, 2025, having had negative cash flow from operations. As of December 31, 2025, we had an accumulated deficit of approximately $26.9 million, as compared to our accumulated deficit of approximately $3.2 million as of December 31, 2024. The increase of our accumulated deficit was a result of our net losses for 2025.

Furthermore, we expect continued, significant operating losses for the next few years. We also utilized cash in operations of approximately $12.1 million for the year ended December 31, 2025. As of December 31, 2025, we had unrestricted cash of approximately $5.3 million, an increase of $5.2 million from approximately $38,742 as of December 31, 2024. As of December 31, 2025, our total assets increased to approximately $33.5 million from approximately $25.6 million as of December 31, 2024, primarily due to increases in goodwill. Based on our current capital resources as of December 31, 2025, including our unrestricted cash and accounts receivable, net of $7.9 million, we expect to be able to continue our operations for a minimum of 12 months as of the date of this annual report. Nevertheless, our continuation as a going concern is dependent on our ability to obtain additional financing until we can generate sufficient, consistent cash flow from operations to meet the expected growth in our obligations. We intend to continue to seek additional debt or equity financing to continue our operations.

Our consolidated financial statements have been prepared on a going concern basis, which implies we may not continue to meet our obligations and continue our operations for the next fiscal year. The continuation of our Company as a going concern is dependent upon our ability to obtain necessary debt or equity financing to continue operations until we begin generating positive cash flow.

There is no assurance that we will ever be consistently profitable or, notwithstanding our recent financing activities, that debt or equity financing will be available to us in the amounts, on terms, and at times deemed acceptable to us, if at all. The issuance of additional equity securities by us would result in a significant dilution in the equity interests of our current stockholders. Obtaining commercial loans, assuming those loans would be available, would increase our liabilities and future cash commitments. If we are unable to obtain financing in the amounts and on terms deemed acceptable to us, we may be unable to continue our business, as planned, and as a result may be required to scale back or cease operations for our business, the result of which would be that our stockholders would lose some or all of their investment. The consolidated financial statements do not include any adjustments to reflect the possible future effects on the recoverability and classification of assets or the amounts and classifications of liabilities that may result should we be unable to continue as a going concern.

Off-balance sheet arrangements

We did not have any off-balance sheet arrangements during the periods presented, and we do not currently have any off-balance sheet arrangements, as defined in the SEC rules and regulations.

Critical Accounting Policies and Estimates

Goodwill and Other Long-Lived Assets

We evaluate the impairment of goodwill and other long-lived assets in accordance with Accounting Standards Codification ("ASC") 350, "Intangibles Goodwill and Other." Management annually reviews goodwill and other long-lived assets for impairment or whenever events or changes in circumstances indicate the carrying amount may not be recoverable. If we determine that the carrying value of the goodwill and other long-lived assets may not be recoverable, we will record an impairment charge for the amount by which the carrying value of the goodwill and other long-lived assets exceeds its fair value.

Table of Contents

Goodwill is not amortized, but rather tested for potential impairment as of December 31 each year. The goodwill impairment test is performed at the reporting unit level, which is only one for our company. Accounting requirements provide that a reporting entity may perform an optional qualitative assessment on an annual basis to determine whether events occurred or circumstances changed that would more likely than not reduce the fair value of a reporting unit below its carrying amount. If an initial qualitative assessment identifies that it is more likely than not that the fair value of a reporting unit is less than its carrying amount, or the optional qualitative assessment is not performed, a quantitative analysis is performed.

In testing goodwill for impairment, we first assess the qualitative factors to determine whether the existence of events or circumstances leads to a determination that it is more likely than not that the fair value of a reporting unit is less than its carrying value. If, after the assessment, we determine that an impairment indicator exists, we perform the quantitative goodwill impairment test. The Company performs the quantitative goodwill impairment test by calculating the fair value of the reporting unit and comparing it to its respective carrying value including goodwill. If the fair value is less than the carrying value, the amount of impairment expense is equal to the difference between the reporting unit's fair value and the reporting unit's carrying value.

Determining the fair value of a reporting unit requires management's judgment and involves the use of significant estimates and assumptions, including forecasted revenue, operating margins, capital expenditures, and selection and use of an appropriate discount rate commensurate with the risk inherent in each of our reporting units' current business models. We utilize the weighted average cost of capital as derived by certain assumptions specific to our facts and circumstances as the discount rate. Our estimate of cash flows and discount rate are subject to change due to the economic environment. A relatively small change in the underlying assumptions, including if the financial performance of the reporting unit does not meet expectations in future years, may cause a change in the results of the impairment assessment in future periods and, as such, could result in goodwill impairment.

We use a discounted cash flow approach to determine the fair value of a reporting unit. The determination of discounted cash flows of the reporting units and assets and liabilities within the reporting units requires significant estimates and assumptions. These estimates and assumptions primarily include, but are not limited to, the discount rate being the weighted average cost of capital ("WACC") for the firm, terminal growth rates, earnings before depreciation and amortization, and capital expenditures forecasts.

Given the fact we are operating in a net loss position, for the year ended December 31, 2025, management performed a quantitative assessment of our one reporting unit and determined that the fair value of goodwill exceeds the carrying value.

Due to the nature of our business and other factors described in Item 1A, "Risk Factors," of this Annual Report on Form 10-K, the profitability of our individual reporting units may periodically be affected by downturns in customer demand, operational challenges, and other factors. If material adverse conditions occur that impact one or all of our reporting units, our determination of future fair value might not support the carrying amount of our reporting units, and the related goodwill may be impaired. We will continue to monitor any changes to our assumptions and will evaluate goodwill as deemed warranted during future periods.