Partnering with Oasis Security: The Stars Align
At Sequoia, we look for strong teams going after growing markets. In Danny Brickman and Amit Zimerman, and non-human identity security, that’s exactly what we found.
When we first met Danny Brickman in the summer of 2021, we identified him as a young star in the Israeli entrepreneurial ecosystem and someone we should watch. At the time, he was still ideating and had not started a company. But we recognized in him the same passion and drive we’d seen in the founders of Sequoia portfolio companies Wiz and Cyera (who, like Danny, are graduates of the elite Talpiot program).
At the same time, we at Sequoia were developing a thesis that identity was the largest remaining opportunity in security. Why? In part because when we asked CISOs to name their top three priorities, identity security was the most frequent theme. In the lingo of security pros, identity is the new perimeter, with the majority of security attacks today occurring via a malicious actor stealing a user’s identity. It is more important than ever to tighten that perimeter, and to have solid answers to questions like who should have access to what—and who is actually accessing what. Which team members need to use which apps and resources? What kind of access should they have? Are their current privileges too broad?
Most of us are very familiar with the process of securing how humans access systems. We may even get annoyed by the constant reminders to choose stronger passwords—but we know how costly it can be to have our private identity stolen or to allow an attacker into our corporate systems. What comes as a surprise to many, though, is that only a very small fraction of access requests in a company today actually come from humans. In the age of distributed systems, microservices, APIs, automation and AI agents, the overwhelming majority of these requests are from systems and machines—with their own identities, just like ours—accessing other systems and machines.
These non-human identities now outpace human ones by a factor of at least 10, and in some companies 50 or 100—an abundance of riches for an attacker to go after! But even more important, some of these non-human identities like service accounts and secrets (API keys, tokens and certificates) have much broader privileges than most human users; they may be able to not only access an application but also modify its settings or even delete it entirely! And in the hands of bad actors, such identities can wreak yet more havoc—from deleting an entire AWS environment to exfiltrating a lot of data.
As critical as non-human identities have become, however, the processes and tools for securing them and managing their lifecycle are still emerging—and that can leave teams vulnerable to ticking time bombs, just waiting to explode. One security leader told us about a key generated with permission to read all of the company’s email, with no constraints—which was then emailed to an external contractor who used it to write software on their personal device. Another security admin found a Slack app designed for Christmas greetings that also had full read access to all conversations. Then there was the small recruiting product with root access to all Gmail.
As we at Sequoia explored the challenges and opportunities in the identity security space, we wrote an internal white paper detailing the need we saw, and were considering incubating a company in the domain. But Danny and co-founder Amit Zimerman were recognizing the same opportunity—and they decided to tackle it themselves.
Oasis Security takes a holistic approach to securing non-human identities, solving for the specific issues that make managing their lifecycle so different from managing human identities. This includes not only the scale, but the rate of change. Human identities change at the rate of employees joining and leaving the team—or changing their passwords. Non-human identities, on the other hand, can be ephemeral, including short-lived tokens and certificates that expire in seconds. Oasis Security’s platform also accounts for the “blast radius” of non-human identities, which are more likely to interfere with entire systems than with individual users.
The Sequoia team is thrilled that the stars aligned for us to support this important work and lead Oasis Security’s Series A, and we are proud to be in business with Danny, Amit and their team as they work to build a generational company. In the face of the huge and growing challenge of securing non-human identity, they are leading the charge toward a solution—and we will all be safer for it.