Wednesday, October 22, 2025
News

Hush Security emerges from stealth to eliminate risks, burdens of static machine authentication keys

by CybrGPT
0 comment

How can an enterprise, large or small, ensure that all the software and services it relies upon are communicating securely with one another?

The standard for roughly the last quarter century — much of the entire history of the web to date — has been to issue digital “keys.” Yet these keys are typically static — meaning they don’t change unless someone or something changes them, or “rotates” them, a time consuming, tedious, and often overwhelming process given how many different interconnected services companies rely on.

Now Hush Security thinks it has a better, more secure, and more efficient solution for authenticating enterprise devices and applications: using a new “policy-based” approach that only gives a company’s devices and applications access to other services when needed. The Israeli firm has emerged from stealth today, backed by $11 million in seed funding led by Battery Ventures and YL Ventures.

Founded in 2024 by the team behind Meta Networks, which was acquired by Proofpoint in 2019, Hush Security was born from a deeply personal frustration.

“We started Hush Security a year ago because we wanted to fix a problem that had been bugging us for a long time: the way machine-to-machine authentication is handled in modern software,” said CEO and co-founder Micha Rave in a video call interview with VentureBeat last week.

The nature of the problem with machine authentication

In today’s digital infrastructure, software applications and services don’t operate in isolation — they constantly talk to one another. A payment system might need to verify transactions with Stripe. A backend service may fetch data from a third-party analytics tool. Even internal apps often need to communicate across systems within the same company.

To secure these machine-to-machine conversations and make sure that only the right software has access, developers use API keys and tokens — unique strings of characters that act like digital ID cards or passwords for machines.

This approach became common in the early 2000s, and by the 2010s it had become the default. As companies embraced cloud computing, APIs, and software-as-a-service (SaaS) platforms like AWS and Google Cloud, these services provided API keys to manage who or what could access them.

It was a simple and convenient way for developers to connect systems without needing complex infrastructure. At the time, it made sense — it was fast, flexible, and easy to implement across small or growing teams.

But that early simplicity came with long-term trade-offs. These credentials are typically static, meaning they don’t change unless someone manually updates them. That also means they don’t adapt to context (like who’s using them, when, or from where), and they can last indefinitely if no one intervenes.

Over time, this introduces serious security risks: if an API key is accidentally exposed — say, checked into a public GitHub repository or left in a log file — an attacker could use it to impersonate trusted software and gain unauthorized access to sensitive systems.

To avoid this, companies are expected to rotate their keys regularly—that is, generate new ones and replace the old. But unlike human passwords that can be reset automatically or expire, API keys must be rotated manually. And the process is complicated. It typically involves:

  • Logging into the external provider’s dashboard (like Stripe or AWS),

  • Creating a new key and securely storing it—usually in a secrets vault or config file

  • Updating every piece of software that used the old key

  • Testing to ensure nothing breaks, and

  • Coordinating across multiple teams.

What makes this even harder is that the external service (the key issuer) doesn’t verify how the key is used after it’s generated. The issuer simply checks that someone was logged in when the key was created—usually relying on username, password, and multi-factor authentication.

But once that key exists, anyone who gets hold of it can use it, with no built-in checks to confirm it’s still being used by the right software. Unless a company builds its own layers of security — like IP whitelisting or logging —there’s no way to know if a key is being used by the real system or by an attacker.

This wasn’t a huge problem when companies only had a few APIs and a small number of services. However, today’s software environments are vastly more complex. Organizations rely on microservices, automated deployment pipelines, machine learning models, and AI agents — all of which need credentials to function.

Now, instead of managing a dozen keys, a typical company might have thousands. As Rave put it, “What used to be a handful of keys in an organization has exploded to thousands, spread across teams, with poor hygiene and no unified system for rotation or management.”

In modern workplaces, this explosion creates both a security risk and an operational burden. Credentials are often hard-coded into applications, scattered across environments, or forgotten entirely. When rotation does happen, it’s often inconsistent — and if a key is missed or misconfigured, systems can break or become vulnerable to attack. Meanwhile, attackers have increasingly begun to target machine credentials specifically, exploiting their weak rotation and poor visibility as a way to infiltrate software supply chains or automated systems.

Hush Security was created to address these exact problems. Instead of trying to make key management slightly better, it eliminates static keys entirely. Its platform replaces long-lived credentials with just-in-time, policy-based access — meaning machines are given permission only when they need it, based on strict policies enforced in real-time.

This removes the need to manually rotate secrets, reduces the chances of a leak, and provides stronger guarantees that access is being used appropriately.

Breaking with legacy approaches

Vault-based secrets managers — long the standard for managing credentials — have increasingly become a liability rather than a solution.

Hush cites Gartner research forecasting that by 2027, 40% of organizations will move to secretless architectures (those that don’t rely on storing keys) to escape the scaling limitations and security gaps of vaults.

“Security is often an afterthought when you’re trying to hit business goals and ship features, and that’s why current systems for managing secrets are broken,” Rave noted.

The shortcomings of recent market attempts haven’t helped. “A wave of companies emerged a year and a half ago around non-human identities, raising awareness but failing to deliver real solutions — most of those tools are now abandoned,” Rave asserted to VentureBeat.

In contrast, Hush Security isn’t offering incremental improvements. “Instead of patching a broken system, we’re offering a fundamentally different approach: replacing secrets with policy-based machine access,” he emphasized.

How Hush Security works

At the heart of Hush’s offering is a runtime-first architecture built on the SPIFFE (Secure Production Identity Framework for Everyone) standard.

The platform continuously maps machine-to-machine interactions and automatically converts them into access policies. These policies define which workloads can talk to which services —without relying on persistent credentials.

“We automatically map every machine-to-machine interaction — so every time a machine connects to another, we log it and understand what’s happening,” Rave explained.

“With one click, we can turn those interactions into policies. If a computer connects to Stripe, for example, we create a policy saying only that computer is allowed to do so.”

“If any other machine in your environment tries to access Stripe and it’s not part of that policy, we block it. It’s precise, controlled access.”

This precision is made possible by routing machine access through Hush’s platform. “We’re the ones facilitating the access, so everything flows through our system. It’s completely transparent to your developers and security teams.”

Crucially, Hush’s model does not require major changes to existing infrastructure. “You don’t have to make major changes or go through a multi-year transformation — just onboard Hush Security, and your environment operates differently with no extra burden on engineering,” said Rave.

Solving for scale

“For every human identity in a company, there are 50 to 100 machine identities. And yet, no one has applied modern authentication models to them,” Rave pointed out.

For humans, using the single sign-on (SSO) through services offered by tech giants like Google, Apple, and even Discord has become the norm. Hush is effectively bringing that model to machines.

The platform delivers three core capabilities:

  • Runtime Visibility & Discovery – Continuously discovers and maps all workloads, services, and AI agents, from code to production.

  • Runtime Posture Analysis – Assesses and prioritizes risks based on runtime behavior and potential blast radius rather than static assumptions.

  • Prevention & Management – Enforces dynamic, just-in-time access policies that replace static secrets, reducing overhead and eliminating credential-based threats at the source.

This approach significantly reduces operational complexity while enhancing security. “We’re not adding more technical debt by chasing secrets—we’re replacing secrets with a scalable, SSO-style solution for machines, without disrupting business priorities,” Rave said.

What’s next for Hush Security?

Despite operating in stealth until today, Hush Security has already secured enterprise customers, including several Fortune 500 companies. The funding from Battery and YL Ventures will be used to expand engineering and scale global go-to-market efforts.

“We’re at a critical inflection point,” said Barak Schoster, Partner at Battery Ventures in a press release on the fundraise. “Static secrets simply can’t keep pace with modern infrastructure, rapid development cycles, and the demands of AI-driven workloads.”

Yoav Leitersdorf, Managing Partner at YL Ventures, added, “Machine identity security is entering a new era, and we see Hush Security leading the shift to a secure, policy-based future, especially as AI agents and LLMs proliferate.”

The company’s free assessment tool is available now, helping organizations detect and map secrets such as API keys and service credentials across environments.

It identifies how those credentials are used across code, runtime, and AI interactions. Customers can then migrate to Hush’s enterprise platform with a single click, eliminating credential sprawl entirely.

Hush’s vision is both ambitious and pragmatic: replace a decades-old standard without forcing disruptive changes on teams. As Rave put it, “We kind of move you to a policy and SSO-based approach without breaking any of your business priorities or engineering flow.”

By targeting the root of the problem — not just its symptoms — Hush Security aims to redefine how machine identities are authenticated in an era dominated by automation and AI.

Source link

You Might Be Interested In

You may also like

Keycard emerges from stealth with identity and access solution for AI agents

OpenFGA: The open-source engine redefining access control

Dataminr’s $290 million ThreatConnect deal expands AI for real-time cyber defense

DataDome secures MCP infrastructure for trusted agentic AI

CISA warns of Windows SMB flaw under active exploitation (CVE-2025-33073)

Google introduces agentic threat intelligence for faster, conversational threat analysis

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Stay informed with the latest in cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

Facebook Twitter Instagram
BuyBitcoinFiveMinute

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

© 2025 cybrgpt.com – All rights reserved.

@2025 - All Right Reserved.
View Cart Checkout Continue Shopping
Close