I’m not big on funding announcements. In general, I find them prematurely self-congratulatory and slightly gauche. Thus, we’ve never announced funding before. I recently realized that we were doing a massive disservice to an important constituency: the amazing group of investors that we’ve been working with over the years whose unique perspectives (and checkbooks) have helped shape the company.
Today, I’d like to officially announce that Smallstep has raised $26 million in seed and Series A funding.
Now, on to the important stuff: how we got here, and where we’re headed.
It’s been six years since I started Smallstep. That’s an unusually long youth for a startup. We’ve been using that time to work collaboratively with the community to build, and open source, core infrastructure — something that few early-stage startups have been able to pull off.
That’s the part that happened in public, anyways. Even earlier, we built an entire programming language that was safe for remote-execution (i.e., you could prove confinement and termination). We packaged it as a “best of both worlds” policy engine, that let a central policy team manage service-to-service authorization code that’s deployed and efficiently executed in-process with the applications being protected. It’s pretty rad, and people liked it. But we kept hearing the same thing: “cool authorization product, but we don’t have authentication yet.”
I have endless notes on various authenticated encryption options. But, ultimately, our research kept pointing us in the same direction: TLS is the right technology for the vast majority of distributed system use cases. It’s fast, easy, and it works everywhere (I’ve written extensively on this topic elsewhere). So, if TLS is so great, why isn’t everyone already using it? Certificates.
To use TLS, you need to issue and manage certificates. But, certificate management is a challenge. Certificates are unique in their ability to authenticate ad-hoc peer-to-peer communication, without relying on any third-party service (that might fail), and without pre-distributing keys (which doesn’t scale). These characteristics make certificate-based authentication ideal for distributed systems. Aside from TLS, certificates are useful for SSH, code signing, and dozens of other problems. What was missing was the infrastructure to automate certificate management at the pace and scale of modern software. So, we started building.
The first few years of Smallstep we dedicated solely to open source – creating and maintaining the tools we wanted to see in the world. Late last summer, we started to commercialize our automated certificate management toolchain. Every non-trivial distributed system would benefit from good certificate management infrastructure – and we’re building the product for it.
Throughout all of this, our investors offered patient guidance and strategic insights. Venture investors usually prioritize quick ROI, but we’ve been lucky to have a group of folks involved that understand that we’re building something important for a big market, and doing it right takes time.
From the very beginning, it was Kent Goldman at Upside Partnership who believed in me – a sole founder – and the solutions I could create with a great team. He helped me turn an academic lecture on distributed systems architecture into a pitch deck. Amit Kumar committed next, introducing us to the amazing team at Accel and providing critical early financing. Just before closing our seed round, I was introduced to Ed Sim and Eliot Durbin at boldstart ventures. It was immediately clear that we would work well together and I figured out how to squeeze them onto the cap table. Looking back, we wouldn’t be around without Ed & Eliot. They’re hard-working, smart and, above all, kind. I’d keep going, but I think their portfolio speaks for itself. Enrique Salem at Bain Capital Ventures joined a few years in. He’s got a piercing intellect and to-the-point style that helps us focus on what matters and ignore distractions (along with the operational experience to know the difference).
Raising a Series A is different than seed financing. Pure vision and napkin math market sizing no longer suffice. You need customer testimonials and black-and-white performance indicators. Thankfully, customers came quickly after launch, despite our complete lack of salespeople (which we are hiring for, by the way). Early this year, we closed a Series A led by Hunter Somerville at StepStone Group, with participation from existing investors. Andrew McMahon, from Ridgeline, also joined this round. Ridgelines specializes in selling to the federal space and large enterprises, and I couldn’t be happier as we have a pressing need to develop our expertise in these spaces.
We have all the pieces we need. Now we continue to make certificates and Production Identity easy, and grow our products and our team. We’re hiring internationally — we want the best people, wherever they are — so drop me a line if you know anyone. We’re particularly keen to find some good product and sales folks who want to join an awesome team where they can have a huge impact on the future of Production Identity.
Ultimately, we’re on a mission to solve identity for distributed systems. There’s a lot to unpack there - and there’s a lot we have left to solve. Once that’s done, maybe we’ll dust off those old policy language repositories?
With an eye to the future, and much gratitude to everyone who’s helped along the way,
Mike Malone has been working on making infrastructure security easy with Smallstep for six years as CEO and Founder. Prior to Smallstep, Mike was CTO at Betable. He is at heart a distributed systems enthusiast, making open source solutions that solve big problems in Production Identity and a published research author in the world of cybersecurity policy.