Investing in Truffle Security

At its core, information security has always been about protecting secrets. From Mary Queen of Scots using one way ciphers to protect her communications, to Navajo Code Talkers using their native language, the goal has always been to keep something private from becoming public. For years the focus of the information security industry was to provide protection by offering defense in depth. Developing additive products that sit on top of the things you are trying to protect. Security products focused on protecting the servers, the network, the endpoints, and the code, making sure each layer had adequate protection added on top. However, with the move to cloud infrastructure, the security landscape has fundamentally changed. Large cloud service providers now provide a considerable amount of security as a feature to their larger product. And with this change, things in the world of information security started getting better… until they didn’t.

With old challenges on their way to being solved, where would the risk shift? At a16z we’ve spent considerable time trying to figure out what this would mean for the broader security industry. While tracking the threat landscape it became apparent that security risks did not just go away. Companies moved to the cloud but breaches were still happening at an even more alarming scale. We noticed a commonality across all the large breaches we dove into – at the heart of almost every large breach was a “secret” that had been disclosed and used to access even more sensitive information. These secrets came in many forms: AWS API keys, 0Auth tokens for SaaS services, passwords hardcoded in code checked into public repositories. It was clear to us that secrets management was the next battlefield.  

Enter Truffle Security. We were over the moon when we heard that Dylan Avery, Julian Dunning, and Dustin Decker would be quitting their jobs to start a company based on their hugely popular TruffleHog open source project. TruffleHog, which is one of the most popular open source cloud security projects to date, has over 6k Github stars, 5k daily deployments, 175k installs via Docker Hub, and numerous other deployments via assorted security oss channels.  

From the beginning it was clear they were the kind of thoughtful, driven, and innovative founders we love working with. Truffle Security focuses on the security and orchestration around the management of secrets. The software works by connecting to code repos, wiki’s, SaaS apps, etc., and scanning for anything that looks like a “secret”. This could be authorization tokens, api keys, or pgp keys. If Truffle finds a secret, it leverages integrations with service providers to validate if the secret is live. If it is a live secret Truffle will escalate the issue to the appropriate teams for rotation and remediation.

We’re very excited to partner with the Truffle Security team and lead their Series A round. Dylan, Julian, and Dustin are exactly the type of founders we love to back, and Truffle Security — which is based on a leading, open, and deeply technical project, and is delivering secrets management solutions to the enterprise — is exactly the type of company we love to be involved in.



The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see for additional important information.

The enterprise is changing

Sign up for our enterprise newsletter to get the a16z take on the trends reshaping B2B and enterprise tech.