How can an enterprise, massive or small, make sure that all of the software program and providers it depends upon are speaking securely with each other?
The usual for roughly the final quarter century — a lot of the complete historical past of the net thus far — has been to challenge digital “keys.” But these keys are sometimes static — that means they do not change until somebody or one thing adjustments them, or “rotates” them, a time consuming, tedious, and sometimes overwhelming course of given what number of totally different interconnected providers firms depend on.
Now Hush Safety thinks it has a greater, safer, and extra environment friendly resolution for authenticating enterprise units and functions: utilizing a brand new “policy-based” strategy that solely offers an organization’s units and functions entry to different providers when wanted. The Israeli agency has emerged from stealth as we speak, backed by $11 million in seed funding led by Battery Ventures and YL Ventures.
Based in 2024 by the workforce behind Meta Networks, which was acquired by Proofpoint in 2019, Hush Safety was born from a deeply private frustration.
“We began Hush Safety a yr in the past as a result of we wished to repair an issue that had been bugging us for a very long time: the best way machine-to-machine authentication is dealt with in fashionable software program,” stated CEO and co-founder Micha Rave in a video name interview with VentureBeat final week.
The character of the issue with machine authentication
In as we speak’s digital infrastructure, software program functions and providers don’t function in isolation — they continuously speak to 1 one other. A fee system may must confirm transactions with Stripe. A backend service could fetch knowledge from a third-party analytics device. Even inside apps typically want to speak throughout methods throughout the identical firm.
To safe these machine-to-machine conversations and ensure that solely the best software program has entry, builders use API keys and tokens — distinctive strings of characters that act like digital ID playing cards or passwords for machines.
This strategy turned frequent within the early 2000s, and by the 2010s it had change into the default. As firms embraced cloud computing, APIs, and software-as-a-service (SaaS) platforms like AWS and Google Cloud, these providers offered API keys to handle who or what might entry them.
It was a easy and handy means for builders to attach methods while not having advanced infrastructure. On the time, it made sense — it was quick, versatile, and straightforward to implement throughout small or rising groups.
However that early simplicity got here with long-term trade-offs. These credentials are sometimes static, that means they don’t change until somebody manually updates them. That additionally means they don’t adapt to context (like who’s utilizing them, when, or from the place), and so they can final indefinitely if nobody intervenes.
Over time, this introduces severe safety dangers: if an API secret’s by chance uncovered — say, checked right into a public GitHub repository or left in a log file — an attacker might use it to impersonate trusted software program and achieve unauthorized entry to delicate methods.
To keep away from this, firms are anticipated to rotate their keys usually—that’s, generate new ones and exchange the previous. However in contrast to human passwords that may be reset routinely or expire, API keys should be rotated manually. And the method is difficult. It sometimes entails:
-
Logging into the exterior supplier’s dashboard (like Stripe or AWS),
-
Creating a brand new key and securely storing it—normally in a secrets and techniques vault or config file
-
Updating every bit of software program that used the previous key
-
Testing to make sure nothing breaks, and
-
Coordinating throughout a number of groups.
What makes this even more durable is that the exterior service (the important thing issuer) doesn’t confirm how the secret’s used after it is generated. The issuer merely checks that somebody was logged in when the important thing was created—normally counting on username, password, and multi-factor authentication.
However as soon as that key exists, anybody who will get maintain of it will possibly use it, with no built-in checks to verify it’s nonetheless being utilized by the best software program. Until an organization builds its personal layers of safety — like IP whitelisting or logging —there’s no method to know if a secret’s being utilized by the true system or by an attacker.
This wasn’t an enormous downside when firms solely had a number of APIs and a small variety of providers. Nevertheless, as we speak’s software program environments are vastly extra advanced. Organizations depend on microservices, automated deployment pipelines, machine studying fashions, and AI brokers — all of which want credentials to perform.
Now, as an alternative of managing a dozen keys, a typical firm might need hundreds. As Rave put it, “What was once a handful of keys in a company has exploded to hundreds, unfold throughout groups, with poor hygiene and no unified system for rotation or administration.”
In fashionable workplaces, this explosion creates each a safety threat and an operational burden. Credentials are sometimes hard-coded into functions, scattered throughout environments, or forgotten completely. When rotation does occur, it’s typically inconsistent — and if a secret’s missed or misconfigured, methods can break or change into weak to assault. In the meantime, attackers have more and more begun to focus on machine credentials particularly, exploiting their weak rotation and poor visibility as a method to infiltrate software program provide chains or automated methods.
Hush Safety was created to deal with these precise issues. As an alternative of making an attempt to make key administration barely higher, it eliminates static keys completely. Its platform replaces long-lived credentials with just-in-time, policy-based entry — that means machines are given permission solely after they want it, primarily based on strict insurance policies enforced in real-time.
This removes the necessity to manually rotate secrets and techniques, reduces the probabilities of a leak, and gives stronger ensures that entry is getting used appropriately.
Breaking with legacy approaches
Vault-based secrets and techniques managers — lengthy the usual for managing credentials — have more and more change into a legal responsibility slightly than an answer.
Hush cites Gartner analysis forecasting that by 2027, 40% of organizations will transfer to secretless architectures (those who do not depend on storing keys) to flee the scaling limitations and safety gaps of vaults.
“Safety is usually an afterthought if you’re making an attempt to hit enterprise objectives and ship options, and that’s why present methods for managing secrets and techniques are damaged,” Rave famous.
The shortcomings of latest market makes an attempt haven’t helped. “A wave of firms emerged a yr and a half in the past round non-human identities, elevating consciousness however failing to ship actual options — most of these instruments at the moment are deserted,” Rave asserted to VentureBeat.
In distinction, Hush Safety isn’t providing incremental enhancements. “As an alternative of patching a damaged system, we’re providing a essentially totally different strategy: changing secrets and techniques with policy-based machine entry,” he emphasised.
How Hush Safety works
On the coronary heart of Hush’s providing is a runtime-first structure constructed on the SPIFFE (Safe Manufacturing Identification Framework for Everybody) normal.
The platform constantly maps machine-to-machine interactions and routinely converts them into entry insurance policies. These insurance policies outline which workloads can speak to which providers —with out counting on persistent credentials.
“We routinely map each machine-to-machine interplay — so each time a machine connects to a different, we log it and perceive what’s occurring,” Rave defined.
“With one click on, we are able to flip these interactions into insurance policies. If a pc connects to Stripe, for instance, we create a coverage saying solely that pc is allowed to take action.”
“If some other machine in your setting tries to entry Stripe and it’s not a part of that coverage, we block it. It’s exact, managed entry.”
This precision is made doable by routing machine entry by way of Hush’s platform. “We are the ones facilitating the entry, so every thing flows by way of our system. It’s utterly clear to your builders and safety groups.”
Crucially, Hush’s mannequin doesn’t require main adjustments to present infrastructure. “You don’t must make main adjustments or undergo a multi-year transformation — simply onboard Hush Safety, and your setting operates in a different way with no additional burden on engineering,” stated Rave.
Fixing for scale
“For each human identification in an organization, there are 50 to 100 machine identities. And but, nobody has utilized fashionable authentication fashions to them,” Rave identified.
For people, utilizing the only sign-on (SSO) by way of providers provided by tech giants like Google, Apple, and even Discord has change into the norm. Hush is successfully bringing that mannequin to machines.
The platform delivers three core capabilities:
-
Runtime Visibility & Discovery – Repeatedly discovers and maps all workloads, providers, and AI brokers, from code to manufacturing.
-
Runtime Posture Evaluation – Assesses and prioritizes dangers primarily based on runtime habits and potential blast radius slightly than static assumptions.
-
Prevention & Administration – Enforces dynamic, just-in-time entry insurance policies that exchange static secrets and techniques, lowering overhead and eliminating credential-based threats on the supply.
This strategy considerably reduces operational complexity whereas enhancing safety. “We’re not including extra technical debt by chasing secrets and techniques—we’re changing secrets and techniques with a scalable, SSO-style resolution for machines, with out disrupting enterprise priorities,” Rave stated.
What’s subsequent for Hush Safety?
Regardless of working in stealth till as we speak, Hush Safety has already secured enterprise clients, together with a number of Fortune 500 firms. The funding from Battery and YL Ventures will probably be used to develop engineering and scale world go-to-market efforts.
“We’re at a crucial inflection level,” stated Barak Schoster, Accomplice at Battery Ventures in a press launch on the fundraise. “Static secrets and techniques merely can’t hold tempo with fashionable infrastructure, speedy growth cycles, and the calls for of AI-driven workloads.”
Yoav Leitersdorf, Managing Accomplice at YL Ventures, added, “Machine identification safety is coming into a brand new period, and we see Hush Safety main the shift to a safe, policy-based future, particularly as AI brokers and LLMs proliferate.”
The corporate’s free evaluation device is out there now, serving to organizations detect and map secrets and techniques similar to API keys and repair credentials throughout environments.
It identifies how these credentials are used throughout code, runtime, and AI interactions. Clients can then migrate to Hush’s enterprise platform with a single click on, eliminating credential sprawl completely.
Hush’s imaginative and prescient is each bold and pragmatic: exchange a decades-old normal with out forcing disruptive adjustments on groups. As Rave put it, “We form of transfer you to a coverage and SSO-based strategy with out breaking any of your corporation priorities or engineering circulate.”
By concentrating on the basis of the issue — not simply its signs — Hush Safety goals to redefine how machine identities are authenticated in an period dominated by automation and AI.