This is Clutch
Announcing our newest portfolio investment – conquering the challenges of non-human identities.

How many identities do you have…other than your secret identity as a superhero? (What you do in your spare time is your business.) At Merlin, we use a single-sign-on solution (SSO)
for our employees, which means I can use one username and password (along with multi-factor
authentication) to log into almost every system we have.

But if you’re a machine, our enterprise solution isn’t managing your accounts, and you probably
aren’t using SSO. As systems have gotten more complex and companies have moved
applications to the more dynamic environments the cloud allows, the number of these non-human
identities has proliferated, often now outnumbering human accounts by a ratio of 45 to 1. And
yet, despite the massive number of these non-human identities (NHIs), many of which have
permissions to access our most sensitive systems and data, they are often poorly tracked. They
are typically owned by application teams and managed at the application level. Security teams
working at the enterprise level have limited visibility into what is going on with the NHIs, making
them a prime target for malicious actors.

Which is why we are so happy to finally unveil our investment in Clutch Security, a company
built from the group up to address the challenges of non-human identities. We met this team early
on, before they were a fully formed company, before they even had a name. That gave us the
opportunity to get to know them, to understand their technical depth and their understanding
of the problem. And when Ofir, Sagi and Tal were ready to raise, we were excited to invest in
them alongside our partners at Lightspeed.

Clutch is tackling a big problem, but more importantly, doing it a way that is digestible and
works with existing infrastructure. Rather than try to rip and replace existing non-human identity
capabilities, they are instead giving companies a path to managing and securing them. They
provide observability at the enterprise level, guard rails and processes around the management
of NHI lifecycles, and perhaps most importantly, a path to migrate away from vulnerable
approaches to NHI management.

The challenges of NHIs are not getting any simpler. The velocity at which we build and deploy
applications is only increasing, bringing along with it an increasing number of these accounts.
New AI capabilities will only increase that proliferation of accounts, and without a strong
platform for managing them, we will continue to see NHIs as an increasingly common attack
vector.

With Clutch, organizations now have a way of taming those threats, putting the controls in place
to allow non-human identities to be managed at the enterprise level. We’re thrilled to be working
with such a talented group of entrepreneurs. The Clutch team knows the problem space, knows
what needs to be done, and has the experience to bring it to market and succeed. We like to invest in top teams, and this is a team of superheroes. To which we say — don’t worry, your identity is safe with us.

2024 Merlin Safari

Next Level: Why a CISO-in-Residence for Merlin Ventures?

At Merlin, we’ve seen tremendous success in the three years since we opened our Tel Aviv office. But no matter how great things are going, we also know that we cannot get complacent, and we strive to constantly reinvent and improve ourselves. It’s how we pivoted from a purely US-based firm into a powerhouse in the Israeli VC market. It’s how we expanded from our initial government focus to having one of the most vibrant commercial security executive communities in VC. This is why we launched a CISO-in-Residence program and brought on a rockstar CISO to help us take that community even further.

Andy Smeaton is not your typical CISO. In addition to knowing his way around NIST standards, he is also someone not afraid to get his hands dirty in the real world. Andy is someone constantly looking to improve the world, whether it’s through rescue missions in Ukraine or, perhaps more mundanely, working with a cybersecurity startup on understanding market needs. The consistent theme in all his actions is that he genuinely cares.

Why bring on a CISO-in-Residence when we already have such a vibrant community? There are always things we can do better, and having a CISO as part of our team gives us one more way to make sure we are listening to the voice of security practitioners.

Wherever we go with this new program, we will continue to be community driven and entrepreneur focused. And we’re looking forward to doing it with Andy as part of the team.

We have Liftoff!

Three years ago, in January of 2021, Merlin Ventures opened our office in Tel Aviv with a goal of finding the best early-stage cyber startups in Israel and bringing them to the US market. But nearly 25 years before that, our sister company, Merlin Cyber, opened its office in the US, and has continued to grow its business of helping companies succeed in the US Government market.

Over the last few years, however, we’ve seen a challenge in bringing companies into the government market. As the majority of companies moved from offering on-prem software to being SaaS-first and eventually to being SaaS-only, we were hitting a very big snag. While on-premise products could be sold to government agencies with relatively little required in terms of security compliance, cloud-based solutions fall under a compliance requirement called FedRAMP that regularly takes years to complete and costs millions of dollars. Even for late-stage, public companies, it’s a huge barrier to entry. For innovative, early-stage companies it’s a showstopper.

And so, three years ago, around the same time we started building out Merlin Ventures’ presence in Israel, Merlin Cyber started working on a project with the goal of significantly reducing the burden of getting through FedRAMP to allow partners to enter the government market and speed up their time to revenue.

Today, we are excited to announce that that project, Constellation GovCloud®, has achieved its Provisional Authority to Operate (P-ATO) from the US Government and is now open for business.

What does that mean for software companies? Constellation is unique in its ability to accelerate a company’s path through the FedRAMP process. In addition to offloading the majority of compliance tasks, it reduces a partner’s compliance costs as their revenues grow in the public sector market. Constellation partners get a lower cost, more predictable path through the FedRAMP process, while relying on a team of experts that handle the hardest parts of the journey.

Constellation GovCloud® is meant to bring the best software innovation into the US government market, and is not limited to Merlin Ventures portfolio companies. But on the Merlin Ventures side of things, we are very excited about the possibilities Constellation GovCloud opens up to help accelerate our portfolio companies’ entry into the massive US Federal, State and Local government markets.

Today our portfolio companies will tell you the greatest value Merlin Ventures brings is around understanding US commercial markets and getting early customer traction, and that isn’t changing. But with Constellation GovCloud®, that’s only half the story. We invest in the most innovative companies in the world, and with Constellation, we’ve just opened up a massive, untapped market for them.

Dig Security, Talon Cyber Security Acquired by Palo Alto Networks

Over the last month, I’ve been asked by many people how the Israeli companies we work with are doing. I tell them that everyone in Israel has been impacted in some way by the war, some more than others. But I also tell them the message that Israeli founders keep asking me to pass on: As much as they may be hurting emotionally, and while they may be short staffed due to employees being called up by the military, the Israeli tech community is open for business. Employees of companies that are short staffed due to military deployments are pitching in to make sure products still work and customer deliveries happen. The rallying cry of the startup community has become, “Israeli tech delivers, no matter what!

It’s with that backdrop that we share this past week’s two proof points: Palo Alto is acquiring two of our portfolio companies, Dig and Talon, for a combined value of nearly $1 billion. It’s quite a week for our young fund. Either of these exits on its own would be amazing news, but two of them so close together serves as proof of just how resilient Israeli businesses are.

To be fair, neither of these companies is ordinary. Both have exceptional founders who have built and sold businesses before. Both run their companies with remarkable discipline. And each of the founders has a drive that is hard to keep up with.

Dig was an early test of our vetting model, discussing startups we were considering with our network of US cybersecurity leaders to get their feedback. We had around 40 of our advisors on our call that day, and as we discussed a few companies it was quite clear that the excitement was around Dig. Over a quarter of the people on the call asked for an intro to the company, and that conversation became a big driver in our decision to invest. Seeing CEO Dan Benjamin and the rest of the team operate over the last year and a half has been a lesson in how to run a company.

Talon was not the first enterprise browser company we spoke to, and frankly we spent a lot of time prior to meeting with Talon trying to understand why this market even existed. But sitting with Ofer and hearing directly from him why he had built this company made it click. It didn’t hurt that most of the CISOs we talked about it with were in love with the concept. Once we understood why we needed an enterprise browser, deciding that Talon was the one to invest in was not a hard decision, given their vision, their team and their founders.

Notably, Talon’s acquisition marks the third exit for Merlin Ventures Israeli portfolio companies in just the last six months – joining Dig and Enso. Our congratulations to these founders and each member of their remarkable teams!

The Israeli tech community remains resilient even in the face of conflict and adversity, and it is inspiring to us see how they have taken up the rallying cry of “Israeli tech delivers, no matter what.”

Why we dig Dig

Today Dig Security is coming out of stealth, and we are excited to be joining them in their journey as an investor and partner. Like most VCs, we talk to a lot of startups, and it’s often a difficult decision about whether this is “the one” that we want to commit to. For Dig, it was surprisingly easy. From our first conversation, it was clear CEO Dan Benjamin was an expert storyteller who could clearly lay out the problem at hand, why it needed to be solved, and why Dig was the team to solve it. The three co-founders, Dan, Ido Azran and Gad Akuka (first initials D-I-G — get it?), are all second-time founders tackling a problem they have first-hand knowledge of based on their previous roles

Databases have been with us since the 1960s. During those 60 years, we’ve seen massive changes in the way databases work, the types and volume of data they store, and where they store it. We’ve also seen a massive movement toward monetization of data, both by legitimate enterprises and criminal organizations, making those datastores juicier targets than ever.

As the cloud becomes the default place to spin up new datastores and migrate old ones, we need to rethink not just data storage, but data security in general. We cannot continue to rely on models that were designed before S3 or Database-as-a-Service was a thing. On-premises solutions were designed for different attack vectors and rely on different network and endpoint capabilities. Dig is rethinking data security from the ground up with a focus on what new risks and opportunities cloud brings.

It’s been a while since I’ve been a database administrator, and that’s probably for the best. The threats today’s DBAs, Chief Data Officers, and security teams need to defend against are a lot more dynamic than I ever had to worry about. I hope that by working with Dig, the industry’s first data detection and response (DDR) solution, we can help make their jobs a bit easier.

Merlin Ventures featured on N12 panel at Israeli Cyber Conference

Earlier this week, Merlin Ventures Managing Partner Shay Michel participated in a panel discussion about Israel as a cyber nation. The discussion was broadcast on the news channel N12 and you can watch Shay’s appearance in the recording below (in Hebrew).

Read more

Cyolo’s pressure-free guide to getting started with zero trust


This post was originally published in Cyolo’s blog. Cyolo is a Merlin Ventures portfolio company.

Read more

4 things that can help your startup achieve Gartner Cool Vendor recognition

Since 2004, being named a Gartner “Cool Vendor” is something every technology startup aspires to. As one of Gartner’s most popular programs, Cool Vendors shines a spotlight on new and emerging small companies. Startups will pore over guides about how to work with Gartner or look for insider secrets to becoming a Cool Vendor—doing anything they can to improve their chances of earning the coveted status. 

Read more

Advice for young startups eyeing federal: What kind of tech does the U.S. Government need?

High-profile cyberattacks against federal systems and critical infrastructure underscore the importance and urgency of strengthening U.S. cybersecurity capabilities. The landmark bipartisan Infrastructure Investment and Jobs Act of 2021 (IIJA) (H.R.3684), signed into law this week, includes about $2 billion in cybersecurity funding for new cybersecurity initiatives across Federal, State, Local, Tribal and Territorial governments. While the investment is welcome, sadly even $2 billion will not make our government systems immune to attack. The scope of the attack surface and dynamic nature of the threat environment make holistically strengthening cybersecurity a complex endeavor. Equally important, high levels of technical debt resulting from a reliance on legacy systems further hinder modernization efforts

Given the scope and scale of the federal government, building momentum for modernization efforts can be daunting. The Executive Order (EO) on Improving the Nation’s Cybersecurity, issued in May of this year, responds to this challenge by laying a foundation for progress. With its focus on pushing organizations, both in government and industry, to follow best practices for maturing cloud adoption and zero trust, as well as enhancing software supply chain security, the EO has the potential to drive significant advancements in security and resiliency across the federal enterprise.

Adopt security best practices

Recognizing that modernization done right drives security advancements, the EO prompts agencies to:

  • Adopt a cloud-service governance framework
  • Implement a zero-trust network architecture (ZTNA)
  • Enhance software supply chain security

Adopt a cloud-service governance framework

Fundamentally, the EO encourages agencies to continue their cloud adoption journey by transitioning to Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). The migration of legacy IT systems to secure cloud services can have cascading positive impacts on agency operations as systems are updated to take advantage of native capabilities around resiliency and reliability; protection of sensitive data; and proactive threat detection, prevention, and response. As agencies move forward in adopting a cloud-governance framework, they will need to reevaluate their approach to security, and in many cases adopt new types of technologies that were not needed in legacy architectures. This presents an opportunity for startups, as often there is no incumbent in place yet in the Federal market, and agencies may be more willing to take a risk on an earlier stage company. For example, agencies may never have had a significant need for Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP) or Infrastructure as Code (IaC) solutions to date, but as the balance of on-prem to cloud shifts, these become vital parts of a security architecture. Similarly, with the cloud making old concepts of network boundaries obsolete, identity is being described as the new perimeter, opening opportunities for novel approaches to identity and access management. And those identity solutions play a big part in our next section, zero-trust.

Implement a zero-trust network architecture

Zero trust is now an integral part of the federal government’s strategy to strengthen cybersecurity in the face of increasingly aggressive and resourceful attackers. In addition to being a multi-year journey, the move away from perimeter-based network defenses toward zero trust security principles of ‘never trust, always verify,’ will require a major paradigm shift in how federal agencies approach cybersecurity. Throughout all aspects of the infrastructure, zero trust embeds security monitoring, security automation, microsegmentation, and granular access controls based on risk to limit access to only what is needed. DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has put together a zero trust architecture that defines five pillars agencies must consider in a mature zero trust architecture:

  • Identity
  • Device
  • Network/Environment
  • Application Workload
  • Data

Each of these pillars plays a vital role, and there is room for innovation in all of them. Identity in particular is a key foundation to a successful zero trust implementation, so better approaches to existing identity solutions like Identity and access management (IAM), Privileged access management (PAM) and Single sign-on (SSO) are needed. CISA’s maturity model for zero trust pushes for a future that is more reliant on continuous monitoring and validation across all pillars, real-time risk analysis, and improved machine learning capabilities to allow these systems to make better, faster decisions.

Enhance software supply chain security

Modernizing federal cybersecurity is just one element of the EO. It also results in a monumental shift in supply chain security requirements by establishing baseline security standards for any software—especially critical software—sold to the federal government. Per the EO’s directive, during the initial phase of the EO’s implementation, products identified as critical software will have to meet the technical requirements issued under Section 4(e) of the Executive Order.

Further, aiming to protect government agencies from the risk of supply chain software attacks, the EO calls for the National Institute of Standards and Technology (NIST) to create new supply chain security protocols and establish best practices, guidelines, and criteria for the future standards that software suppliers will need to comply with to be able to sell software to the federal government. This in and of itself may be the most impactful element of the entire EO, with a potential to improve both government and private sector systems. The EO does not mandate commercial industry change how they handle software supply chain security, but by instead using the carrot of federal government acquisitions, the EO has the potential to finally push much of the commercial software market to change their thinking on the importance of securing their development process.

While many of the software supply chain security requirements are high level, with more detail to be developed by NIST over time, the EO does give some insight into what the expectations for future software products will be. These include, among other things:

  • Employing encryption for data
  • Employing automated tools to maintain trusted source code supply chains, ensuring the integrity of code
  • Automated vulnerability discovery and remediation
  • Maintaining provenance of all software code or components, and implementing controls on internal and third-party components and tools used in the development process

As you can see above, one notable element of the new requirements is for more visibility into the software development process. Any organization that provides software meeting NIST’s definition of critical software will need to provide a Software Bill of Materials (SBOM) that attests to product and supply chain security. An SBOM is a machine-readable document that lists all components in a product. The SBOM ingredient list includes every library—both open-source software (OSS) and commercial off-the-shelf (COTS)—that is included in an application’s code as well as services, dependencies, compositions, and extensions.

We realize the EO can be complex topic, but understanding it will help you understand where to focus your efforts when bringing your capabilities into the Federal market. For help on navigating the Executive Order’s key requirements, deadlines, and solutions, we encourage you to visit Merlin Cyber’s Cyber EO Resource Center.

As agencies mature their cloud adoption; transition from protecting well-defined networks to securing blurry, fluid perimeters; and pivot from trusted systems to zero trust, the need to embrace new, innovative technologies capable of protecting identities representing people, services, and devices on-prem and in the cloud has never been more urgent. The government undoubtedly has a large task ahead of it as it works to modernize its approach to cybersecurity and adopt strategies to ensure ongoing mission success. Its best hope in doing so is to leverage the capabilities being developed by today’s and tomorrow’s startups.