Posted December 8, 2021

At its core, information security has always been about protecting secrets. From Mary Queen of Scots using one way ciphers to protect her communications, to Navajo Code Talkers using their native language, the goal has always been to keep something private from becoming public. For years the focus of the information security industry was to provide protection by offering defense in depth. Developing additive products that sit on top of the things you are trying to protect. Security products focused on protecting the servers, the network, the endpoints, and the code, making sure each layer had adequate protection added on top. However, with the move to cloud infrastructure, the security landscape has fundamentally changed. Large cloud service providers now provide a considerable amount of security as a feature to their larger product. And with this change, things in the world of information security started getting better… until they didn’t.

With old challenges on their way to being solved, where would the risk shift? At a16z we’ve spent considerable time trying to figure out what this would mean for the broader security industry. While tracking the threat landscape it became apparent that security risks did not just go away. Companies moved to the cloud but breaches were still happening at an even more alarming scale. We noticed a commonality across all the large breaches we dove into – at the heart of almost every large breach was a “secret” that had been disclosed and used to access even more sensitive information. These secrets came in many forms: AWS API keys, 0Auth tokens for SaaS services, passwords hardcoded in code checked into public repositories. It was clear to us that secrets management was the next battlefield.  

Enter Truffle Security. We were over the moon when we heard that Dylan Avery, Julian Dunning, and Dustin Decker would be quitting their jobs to start a company based on their hugely popular TruffleHog open source project. TruffleHog, which is one of the most popular open source cloud security projects to date, has over 6k Github stars, 5k daily deployments, 175k installs via Docker Hub, and numerous other deployments via assorted security oss channels.  

From the beginning it was clear they were the kind of thoughtful, driven, and innovative founders we love working with. Truffle Security focuses on the security and orchestration around the management of secrets. The software works by connecting to code repos, wiki’s, SaaS apps, etc., and scanning for anything that looks like a “secret”. This could be authorization tokens, api keys, or pgp keys. If Truffle finds a secret, it leverages integrations with service providers to validate if the secret is live. If it is a live secret Truffle will escalate the issue to the appropriate teams for rotation and remediation.

We’re very excited to partner with the Truffle Security team and lead their Series A round. Dylan, Julian, and Dustin are exactly the type of founders we love to back, and Truffle Security — which is based on a leading, open, and deeply technical project, and is delivering secrets management solutions to the enterprise — is exactly the type of company we love to be involved in.