Bel Lepe, a former Google software engineer, tells me that it always seemed risky to him that there were apps that business users needed and used but that IT and security teams were unwilling to approve them because of their lack of support for identity standards.
It’s a legitimate issue. According to a Ponemon Institute survey, 52% of organizations have experienced a cybersecurity incident caused by their inability to secure nonstandard apps.
“Security tools have traditionally been built with only security and IT users in mind, but many apps that businesses depend on don’t support security standards,” Lepe said in an email interview. “We refer to these applications as ‘nonstandard apps.’ Nonstandard apps don’t work with enterprise IT and security tools because they lack support for modern identity protocols for automated onboarding and offboarding of users.”
Lepe tried to simply live with the problem as his career took him through various startups and organizations. But a few years back, he was connected with a customer, Wizeline, that expressed a willingness to spend to solve the nonstandard app dilemma.
With his co-worker at the time, Vidal González, Lepe set upon building a company to manage access for business-to-business nonstandard apps. That company became Cerby, which today closed a $17 million Series A funding round led by Two Sigma Ventures with participation from Ridge Ventures, Founders Fund, Bowery Capital, AV8, Salesforce Ventures, Tau Ventures, Okta Ventures, Incubate Fund and Carbon Black co-founder Ben Johnson.
Lepe wouldn’t reveal Cerby’s current valuation, but he claims that it’s “double” what it was 18 months ago.
“Harnessing the power of identity providers like Okta, Azure AD and SailPoint, Cerby removes the need for manual tools and compensating controls, such as enterprise password managers, by automating everyday human security tasks based on single sign-on and lifecycle management cues from upstream identity providers,” Lepe added. “This allows Cerby to protect any application independent of standards support.”
As Lepe alluded to, Cerby works by automating certain tasks, including offboarding and two-factor authentication enrollment, while providing security teams with visibility and control of employee-onboarded apps. It lets customers share access to social media accounts, for example, without sharing passwords. And Cerby can detect rogue apps, guiding users to more secure alternatives.
Lepe asserts that it can both reduce a company’s reliance on manual controls and prevent potential breaches — two key desires of most enterprises. “Cerby ensures that every application, regardless of location or support for standards, is integrated into a unified identity mesh, providing consistent security standards across the enterprise,” he added.
To use Cerby, companies first connect the platform to a corporate identity provider, like Okta or Ping. Then they register their apps in Cerby, accessing them by logging into the corporate identity provider.
“While our initial focus was on managing access to applications for marketing teams, we’ve since expanded our reach,” Lepe said. “We now cater to most departments like sales, product, manufacturing and finance, covering applications ranging from on-premises and OT to legacy and cloud.”
To stay one step ahead, Cerby plans to adopt AI — specifically large language models similar to the kind powering OpenAI’s ChatGPT — to bolster its threat detection capabilities. Lepe describes AI that might be able to help guide users to the best way to securely configure an app when they’re signing up, perhaps via an interactive, in-context wizard.
“This isn’t only about scaling our integrations; it’s also about making our system more intelligent,” he said. “We’ll be able to pinpoint abnormal behaviors quicker and more accurately by analyzing vast amounts of unstructured data. This ensures even nonstandard applications benefit from state-of-the-art security insights.”
Lepe claims that San Francisco–based Cerby, which has around 60 employees, has 26 active customers, including Colgate-Palmolive and a “major” healthcare provider. Cerby aims to acquire federal customers in late 2024; the new funding tranche, which brings Cerby’s total raised to $32.5 million, will be put toward scaling the firm’s go-to-market, sales and marketing efforts.
“We planned to raise our Series A at the end of the summer of 2023, but then we received a preemptive term sheet. That moved our fundraising process forward by approximately three months,” Lepe said. “Despite the broader tech slowdown, Cerby has been amazingly resilient. Our solution is essential for businesses merging legacy and modern applications in an evolving work landscape, ensuring we remain vital regardless of market fluctuations.”