Clutch Security

🚨𝗦𝗮𝗺𝗲 𝗽𝗿𝗼𝗯𝗹𝗲𝗺, 𝗱𝗶𝗳𝗳𝗲𝗿𝗲𝗻𝘁 𝗱𝗮𝘆: 𝟭𝟮,𝟬𝟬𝟬+ 𝗔𝗣𝗜 𝗸𝗲𝘆𝘀 𝗮𝗻𝗱 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝘀 𝗲𝘅𝗽𝗼𝘀𝗲𝗱 𝗶𝗻 𝗽𝘂𝗯𝗹𝗶𝗰 𝗱𝗮𝘁𝗮𝘀𝗲𝘁𝘀 𝘂𝘀𝗲𝗱 𝘁𝗼 𝘁𝗿𝗮𝗶𝗻 𝗟𝗟𝗠𝘀. Some were still valid. No hacks, no exploits. Just credentials scraped from the internet and fed into AI models. Are we now going the extra mile beyond just hardcoding secrets, and we’re training our LLMs to write insecure code? Jokes aside, there are a two important lessons here: 🔹 𝗦𝗲𝗰𝗿𝗲𝘁𝘀 𝘀𝗽𝗿𝗮𝘄𝗹 𝗶𝘀𝗻’𝘁 𝘁𝗵𝗲𝗼𝗿𝗲𝘁𝗶𝗰𝗮𝗹, 𝗶𝘁’𝘀 𝗮𝗰𝘁𝗶𝘃𝗲𝗹𝘆 𝗺𝗮𝗸𝗶𝗻𝗴 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝘄𝗼𝗿𝘀𝗲, 𝗮𝗻𝗱 𝗯𝘆 𝘁𝗵𝗲 𝘄𝗮𝘆, 𝗶𝘁’𝘀 𝘃𝗲𝗿𝘆 𝗺𝘂𝗰𝗵 𝘀𝘁𝗶𝗹𝗹 𝗵𝗲𝗿𝗲. 🔹 𝗔𝗜 𝗺𝗼𝗱𝗲𝗹𝘀 𝗱𝗼𝗻’𝘁 𝗰𝗮𝗿𝗲 𝗮𝗯𝗼𝘂𝘁 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆. 𝗧𝗵𝗲𝘆 𝗺𝗲𝗺𝗼𝗿𝗶𝘇𝗲, 𝘀𝘂𝗴𝗴𝗲𝘀𝘁, 𝗮𝗻𝗱 𝘀𝗽𝗿𝗲𝗮𝗱 𝗯𝗮𝗱 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀. This is why we built Clutch Security - to give security teams control over NHIs before they become attack vectors (or training data). 📖 Explore our research on how fast attackers exploit leaked NHIs—including those hardcoded in source code: https://lnkd.in/eGNCTpxi (Spoiler: they’re not waiting for your next rotation.) 📖 Link to the full story in the first comment. #CyberSecurity #NHISecurity #AppSec #SecretsManagement

🎉 We’re thrilled to welcome Andrew Luhrmann as our new 𝗩𝗣 𝗼𝗳 𝗦𝗮𝗹𝗲𝘀, leading our go-to-market efforts as we scale Clutch Security to new heights!   With deep expertise in cybersecurity, enterprise sales, and global startup growth, Andrew will play a key role in driving our mission: 𝗦𝗲𝗰𝘂𝗿𝗶𝗻𝗴 𝗡𝗼𝗻-𝗛𝘂𝗺𝗮𝗻 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝗶𝗲𝘀. 𝗘𝘃𝗲𝗿𝘆𝘄𝗵𝗲𝗿𝗲. Welcome to the team, Andrew! 🚀 #CyberSecurity #NHISecurity #Leadership #GTM

𝗪𝗵𝘆 𝗘𝗽𝗵𝗲𝗺𝗲𝗿𝗮𝗹 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝗶𝗲𝘀 𝗔𝗿𝗲 𝘁𝗵𝗲 𝗙𝘂𝘁𝘂𝗿𝗲 𝗼𝗳 𝗡𝗛𝗜 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 💡🫥 Static credentials are a hacker’s best friend - long-lived, hard to track, and often exposed before anyone realizes it.  𝗘𝗽𝗵𝗲𝗺𝗲𝗿𝗮𝗹 𝗶𝗱𝗲𝗻𝘁𝗶𝘁𝗶𝗲𝘀 𝗰𝗵𝗮𝗻𝗴𝗲 𝘁𝗵𝗲 𝗴𝗮𝗺𝗲. By automatically expiring after use, they 𝗲𝗹𝗶𝗺𝗶𝗻𝗮𝘁𝗲 𝘁𝗵𝗲 𝗮𝘁𝘁𝗮𝗰𝗸 𝘄𝗶𝗻𝗱𝗼𝘄, simplify operations, and align with Zero Trust principles. In our latest blog, we break down: ✅ What ephemeral identities are and why they matter ✅ How they work across AWS, Azure, and GCP ✅ Why secret rotation isn’t enough to stop attackers ✅ How to transition from static credentials to a secretless approach 𝗪𝗮𝗻𝘁 𝘆𝗼𝘂𝗿 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝘆 𝘁𝗼 𝗸𝗲𝗲𝗽 𝘂𝗽? Clutch Security helps you identify where ephemeral identities can be applied and accelerates this transition. 🔎 Read the full blog here: https://go.clut.ch/ln5 #CyberSecurity #NHI #NHISecurity #CloudSecurity #ZeroTrust #IAM

𝗜𝗻𝘁𝗿𝗼𝗱𝘂𝗰𝗶𝗻𝗴 𝘁𝗵𝗲 𝗡𝗛𝗜 𝗥𝗶𝘀𝗸 𝗟𝗶𝗯𝗿𝗮𝗿𝘆: 𝗕𝗲𝗰𝗮𝘂𝘀𝗲 𝗜𝗴𝗻𝗼𝗿𝗮𝗻𝗰𝗲 𝗶𝘀 𝗡𝗼𝘁 𝗮 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗦𝘁𝗿𝗮𝘁𝗲𝗴𝘆 Think managing non-human identities is just about setting permissions? Think again.  The attack surface is massive, and the risks? Even bigger. That’s why we built the 𝗡𝗛𝗜 𝗥𝗶𝘀𝗸 𝗟𝗶𝗯𝗿𝗮𝗿𝘆: a straight-to-the-point guide to the most critical NHI risks security teams need to know. From 𝗹𝗶𝗳𝗲𝗰𝘆𝗰𝗹𝗲 𝗺𝗶𝘀𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 and 𝗼𝘃𝗲𝗿𝗽𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲𝗱 𝘀𝗲𝗿𝘃𝗶𝗰𝗲 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀 to 𝘀𝗲𝗰𝗿𝗲𝘁𝘀 𝘀𝘁𝗼𝗿𝗲𝗱 𝗶𝗻 𝗽𝗹𝗮𝗶𝗻𝘁𝗲𝘅𝘁 and 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝘃𝗶𝗼𝗹𝗮𝘁𝗶𝗼𝗻𝘀, this library covers it all. We break down: 🔹 The risk 🔹 Why it’s a problem 🔹 How bad it can get 🔹 What you can do about it Risk awareness is the first step to securing NHIs - because you can’t defend against what you don’t understand. Check out the NHI Risk Library now: https://lnkd.in/erQgd-Md #NHI #NHISecurity #IdentitySecurity #ZeroTrust #CyberSecurity

Non-human identities like API keys, tokens, and service accounts are multiplying - and AI is accelerating this trend. These identities are often highly privileged yet dangerously invisible. While enterprises tighten controls on human access, NHIs remain one of the biggest cybersecurity blind spots today. On #NYSEFloorTalk, our Co-Founder & CEO, Ofir Har-Chen, breaks down why NHIs demand 𝗮 𝗭𝗲𝗿𝗼 𝗧𝗿𝘂𝘀𝘁 𝗮𝗽𝗽𝗿𝗼𝗮𝗰𝗵 and how Clutch Security is tackling this challenge head-on. From visibility gaps to proactive protection, the conversation with Judy Khan Shaw dives into why securing NHIs can’t wait. Watch the full discussion here 👇 #Cybersecurity #NHI #NHISecurity #NYSE Matan Eden Shay M. Becky Riji

𝗔𝘁𝘁𝗮𝗰𝗸𝗲𝗿𝘀 𝗹𝗼𝘃𝗲 𝗡𝗛𝗜𝘀 ❤️🎯  Here’s Why: If you were an attacker, which would you choose? ✅ Phishing an employee - hoping they fall for it, bypass MFA, and don’t trigger an alert ✅ Finding an exposed API key with extensive access and limited monitoring Easy choice. NHIs don’t: ❌ Get suspicious of emails ❌ Use MFA ❌ Trigger alerts when logging in ❌ Change their passwords regularly (who likes downtime anyway?) Meanwhile, a leaked API key or service account can sit undetected for months, silently granting access to critical systems. If NHIs aren’t part of your security strategy, you’re making an attacker's job way too easy. Wanna learn how not to play into their hands? We’re here for you: https://lnkd.in/eQrcAiPr #NHI #NHISecurity #IdentitySecurity #ZeroTrust

🔄 𝗙𝗿𝗼𝗺 𝗖𝗿𝗲𝗮𝘁𝗶𝗼𝗻 𝘁𝗼 𝗥𝗲𝘃𝗼𝗰𝗮𝘁𝗶𝗼𝗻 - 𝗛𝗼𝗽𝗲𝗳𝘂𝗹𝗹𝘆 𝗪𝗶𝘁𝗵𝗼𝘂𝘁 𝗮𝗻 𝗜𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗶𝗻 𝗕𝗲𝘁𝘄𝗲𝗲𝗻... 🔄 What happens to a forgotten API key? Swipe through the carousel below to find out👇 Static NHIs don’t expire - they just sit there, unnoticed… until they become a security nightmare. Sound familiar? You’re not alone. Let’s fix it. Here’s how 𝗖𝗹𝘂𝘁𝗰𝗵’𝘀 𝗭𝗲𝗿𝗼 𝗧𝗿𝘂𝘀𝘁 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝘀 help: 🔹 Least privilege enforcement → Even if an NHI is forgotten, its access stays limited. 🔹 Continuous validation → If leaked, it becomes useless to attackers. 🔹 Ephemeral, auto-expiring credentials → No more long-lived, forgotten keys creating risk. Zero Trust for NHIs isn’t optional - it’s essential. #NHI #NHISecurity #ZeroTrust

𝗧𝗵𝗲 𝗡𝗲𝘄 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝘆: 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗶𝗻𝗴 𝗡𝗛𝗜𝘀 𝘁𝗼 𝗣𝗿𝗼𝘃𝗲 𝗦𝘂𝗽𝗽𝗹𝘆 𝗖𝗵𝗮𝗶𝗻 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗜𝘀 𝗕𝗿𝗼𝗸𝗲𝗻 A recent challenge offered $50K to breach a software supply chain, and bug bounty hunters succeeded in just 14 hours. The key weakness? A leaked npm token hidden inside a Docker image build layer. 💥 Here’s how it happened: 🔹 An npm token was embedded in a Docker build layer, making it retrievable, even after being “removed” from the final image. 🔹 The attackers used it to push malicious packages to a private registry, poisoning the software supply chain. 🔹 The compromised packages were pulled into production, spreading the attack downstream. Why does this keep happening? 🔹 Static credentials live indefinitely unless actively revoked, giving attackers an open window. 🔹 CI/CD secrets often have excessive permissions, granting deep access once compromised. 🔹 Build artifacts retain secrets unless layers are explicitly scrubbed - deletion isn’t enough. 📌 𝗟𝗲𝘀𝘀𝗼𝗻 𝗹𝗲𝗮𝗿𝗻𝗲𝗱?  NHIs need strict least privilege enforcement and 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝗭𝗲𝗿𝗼 𝗧𝗿𝘂𝘀𝘁 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻. It’s critical in build environments - but just as essential across the entire organizational landscape. Otherwise, they become silent backdoors waiting to be exploited. 👉 Dive deeper into the full breakdown here: https://lnkd.in/dr7vHKvh #NHI #NHISecurity #SSCS #SupplyChainSecurity #DevSecOps

☁️ 𝗖𝗹𝗼𝘂𝗱 𝗶𝗱𝗲𝗻𝘁𝗶𝘁𝘆 𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗶𝘀 𝗮 𝘀𝗲𝗿𝗶𝗼𝘂𝘀 𝗱𝗲𝗮𝗹 ☁️ Many security teams rely on Cloud Infrastructure Entitlement Management (#CIEM) to manage access risks—but CIEM stops at cloud permissions and 𝗺𝗶𝘀𝘀𝗲𝘀 𝘁𝗵𝗲 𝗯𝗶𝗴𝗴𝗲𝗿 𝘁𝗵𝗿𝗲𝗮𝘁: 𝗡𝗼𝗻-𝗛𝘂𝗺𝗮𝗻 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝗶𝗲𝘀. CIEM helps answer “𝘞𝘩𝘰 𝘩𝘢𝘴 𝘢𝘤𝘤𝘦𝘴𝘴 𝘵𝘰 𝘸𝘩𝘢𝘵?” but it doesn’t: ❌ Track NHIs beyond cloud—across SaaS, CI/CD, code, and on-prem environments ❌ Detect real-time threats tied to compromised API keys, tokens, and service accounts ❌ Manage the full identity lifecycle—from creation to decommissioning ❌ Proactively enforce Zero Trust—continuously validating access requests NHI Security fills the gaps. It delivers full visibility, risk reduction, and Zero Trust enforcement for all machine identities—wherever they live. 🔗 Read the full breakdown: https://go.clut.ch/d48 #NHISecurity #CIEM #ZeroTrust #CloudSecurity

🔑 𝗔𝘁𝗹𝗮𝘀𝘀𝗶𝗮𝗻’𝘀 𝗔𝗣𝗜 𝗧𝗼𝗸𝗲𝗻 𝗘𝘅𝗽𝗶𝗿𝘆 𝗨𝗽𝗱𝗮𝘁𝗲: 𝗔 𝗦𝘁𝗲𝗽 𝗙𝗼𝗿𝘄𝗮𝗿𝗱 𝗳𝗼𝗿 𝗡𝗛𝗜 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 🔑 Atlassian just announced that starting next month, 𝗔𝗣𝗜 𝘁𝗼𝗸𝗲𝗻𝘀 𝘄𝗶𝗹𝗹 𝗵𝗮𝘃𝗲 𝗲𝗻𝗳𝗼𝗿𝗰𝗲𝗱 𝗲𝘅𝗽𝗶𝗿𝘆 𝗱𝗮𝘁𝗲𝘀 - finally closing a long-standing security gap. Until now, these tokens had no lifespan, leaving forgotten, overprivileged, or compromised credentials active indefinitely. This is a necessary step, but it’s only the tip of the iceberg. Our 𝗡𝗛𝗜 𝗜𝗻𝗱𝗲𝘅 - a comprehensive mapping of hundreds of NHIs across diverse environments and tools, including Atlassian’s Jira and Confluence - reveals 𝗱𝗲𝗲𝗽𝗲𝗿 𝗳𝗹𝗮𝘄𝘀 𝗶𝗻 𝗦𝗮𝗮𝗦 𝗡𝗛𝗜 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆: ❌ 𝟵𝟭% 𝗼𝗳 𝗡𝗛𝗜𝘀 𝗹𝗮𝗰𝗸 𝗱𝗲𝗻𝘆𝗹𝗶𝘀𝘁 𝗳𝘂𝗻𝗰𝘁𝗶𝗼𝗻𝗮𝗹𝗶𝘁𝘆 - making it impossible to block unauthorized entities. ❌ 𝟲𝟰% 𝗵𝗮𝘃𝗲 𝗻𝗼 𝗮𝗹𝗹𝗼𝘄𝗹𝗶𝘀𝘁 𝘀𝘂𝗽𝗽𝗼𝗿𝘁 - preventing restriction to trusted sources. ❌ 𝟴𝟯% 𝗱𝗼𝗻’𝘁 𝘀𝘂𝗽𝗽𝗼𝗿𝘁 𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗮𝗯𝗹𝗲 𝗲𝘅𝗽𝗶𝗿𝘆 𝗱𝗮𝘁𝗲𝘀 - forcing security teams into endless manual monitoring. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝘀𝗻’𝘁 𝗮 𝗳𝗲𝗮𝘁𝘂𝗿𝗲—𝗶𝘁’𝘀 𝗮 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆. Atlassian took an important step, but 𝘄𝗲, 𝗮𝘀 𝗮 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝘁𝘆, 𝗺𝘂𝘀𝘁 𝗱𝗲𝗺𝗮𝗻𝗱 𝗺𝗼𝗿𝗲 𝗳𝗿𝗼𝗺 𝗼𝘂𝗿 𝘃𝗲𝗻𝗱𝗼𝗿𝘀. Who should be next? 📊 Explore our NHI Index to see the full NHI security landscape: https://www.nonhuman.id/ #NHI #NHISecurity #CyberSecurity #SaaS #API #APIToken