This paper seeks to identify the emerging and expanding gaps in the governance of private cybersecurity companies and activities and to explore ways forward and policy options for governments. First, it explores the characteristics of typical cyber operations and challenges related to their conduct by private actors. Thereafter, it addresses the governance challenges around cybersecurity and three main departure points for regulation: the fact that geographic scope does not limit cybersecurity companies, that cyber operations can slide from defensive to offensive very quickly; and that cybersecurity services are often exported for the purpose of (or with the knowledge they will be) violating human rights. This section will also integrate perspectives of international law. Finally, the paper lays out suggestions for policy options in relation to international law and existing international normative frameworks. In conclusion, the paper offers a framework and way forward as food for thought in order to address cybersecurity operations in relation to PMSCs.