Hush Security has emerged from stealth with $11 million seed funding, and a machine access platform that eliminates secrets.
The seed funding is led by Battery Ventures and YL Ventures.
The new machine access platform uses just-in-time policy rather than secrets; and the purpose is to remove the current reliance on overburdened vaults and secrets managers to maintain secrets. The receiving machine decides at the time of contact whether to allow access and requires no incoming machine identity key.
Over the past decade, the need for and use of machine IDs has expanded rapidly. Software now sits between different clouds, and in on-prem datacenters. Rapidly growing use of SaaS solutions increases the proliferation, and the arrival of agentic AI is accelerating the problem.
“Every time a software interaction occurs, it needs a key,” comments Micha Rave (CEO and co-founder of Hush Security). “How do you produce that key? How do you pass the key to someone? Who owns the manual process? It moves between different teams: the security team, the operations team, the development and engineering team – each of them needs to be part of that process.”
Much of this is currently built around keeping the secrets safely stored in a secure vault, itself a single point of value. Hush calls the vault system a legacy solution, perhaps with some justification since Gartner has predicted that 40% of organizations will adopt an approach not dependent on secrets by 2027.
The Hush solution is to define the role of the secret key as a policy within the code of the software being accessed. Instead of demanding a key (that could have been stolen and is only a pseudo identity that doesn’t genuinely prove anything) the policy defines which machine, or which group of machines, will be granted access to any service.
This policy can be as tight or as loose as necessitated by the level of risk tolerance of the service being accessed. Access could be limited to an individual computer, perhaps based on its serial number, or a range of other attributes that only belong to one computer or a group of known and approved computers.
It could also be conditional: “This machine can access this service only between 8:00 am and 4:00 pm,” explains Rave; “That machine can access that service only if another service, like Wiz [now part of Google Cloud, but under DoJ antitrust review] or like Palo Alto, has already told me that the machine is completely safe. If it’s not completely safe, don’t let it access the service.”
Hush can help with the transition to this no-secrets approach by mapping all the existing interactions and converting them into a baseline of policies. Continuation then becomes largely a maintenance exercise, fine tuning existing policies and adding new policies for new interactions.
While the new system does require manual effort in developing and implementing the policies, the Hush platform is predicated on belief the labor involved is less than that required to implement and manage separate keys – and far more secure. Credential-based threats, for example, become a thing of the past because there are no credentials. “We’ve eliminated the need for credentials entirely.,” says Rave.
“Chasing secrets or watching dashboards doesn’t stop attacks,” he continues. “Vaults were built for an era where environments changed slowly and AI was not part of the equation. That era is over. AI agents, ephemeral workloads, and automation have changed the game, and the vault model can’t keep up.”
Hush Security (based in Tel Aviv, Israel) was founded in 2024 by Micha Rave (CEO), Chen Nisnkorn (CCO), Shmulik Ladkani (CTO), and Alon Horowitz (VP R&D). The funding will be used to expand engineering and accelerate global GTM efforts.
Related: Enterprise Secrets Exposed by CyberArk Conjur Vulnerabilities
Related: Palo Alto Networks to Acquire CyberArk for $25 Billion
Related: GitHub Workflows Attack Affects Hundreds of Repos, Thousands of Secrets
