The best part of working on Latio is getting to see the amazing innovation across emerging security products. I was excited to see that this year I agree with most of the RSA Innovation Sandbox choices. I wanted to take this week to highlight some of their amazing work and innovation. If you miss the innovation sandbox, make sure you check these guys out anyways!

Table of Contents

• Identity Innovation

  • Aembit

  • P0 Security

• Data Data Data

  • Harmonic

  • Antimatter

• The Rad Ones

  • Rad Security

  • VulnCheck

• Latio List v1.13

Identity Innovation

Identity continues to be a tough nut to crack for startups. Despite being a glaring need for most companies, identity products are tough to sell because they’re often hard to integrate and don’t have clear categories to solve overarching problems. Aembit and P0 are both doing some amazing things in this category, and they’re great choices for this innovation.

Aembit

Aembit logo

What’s the Problem? Because applications ultimately need decrypted credentials, machine to machine authentication is one of the hardest challenges in security. As an example, just yesterday this question came up in the Kubernetes subreddit asking about delivering secrets to apps in Kubernetes. Existing solutions all have various security issues.

What they do: Aembit provides the most secure way I've seen of delivering machine to machines credentials to your workloads. They uniquely validate asset identity via contextual properties and integrations, and then inject the approved credentials into the workload. Put simply, Aembit securely delivers secrets to workloads.

What makes them unique: Aembit has two core technologies that make them really unique to me. First, they have contextual access controls for granting secrets to apps. Traditionally, secrets are only verified via basic RBAC or server roles, if at all, before being passed onto workloads. Aembit instead allows the creation of access conditions, such as the machine existing in Wiz, before the secret is granted.

Secondly, Aembit has put a huge amount of work into the secret delivery mechanism itself, even offering proxies for JWT authentication so that services are never even aware of the secret itself.

Why wouldn’t you use them? Secrets are super challenging and super nerdy. At the end of the day, everyone probably should use something like this, but the implementation requires a lot of careful thinking.

P0 Security

P0 Security Logo

What’s the Problem? Managing user access to resources in a cloud environment is a complicated nightmare. Not only is there cloud API access, but more importantly, there’s access to the underlying workloads themselves. At this point, there are a few different offerings out there for Just in Time (JIT) cloud access roles that help to solve this for the Cloud API. P0 is one of only two companies I’m aware of (Apono is the other one) that extend this beyond the cloud API layer down to the workloads themselves.

What they do: P0 creates comprehensive Just in Time (JIT) access roles across cloud API’s and workloads, allowing an extremely high level of both accessibility and security by spinning up short lived roles as needed to resources. I really think this will be the future of cloud access.

What makes them unique: While many companies at this point offer JIT role creation for cloud, P0 extends far beyond this by offering it for Kubernetes, Postgres, Snowflake, and others. This allows both a better request access workflow, and expands it into workloads themselves.

Why wouldn’t you use them? JIT access is still challenging conceptually, and many companies aren’t quite ready for it yet. However, I think this is a far better approach than endlessly chasing down least privileged policies.

Data Data Data

Despite the plethora of “DSPM” and acquisitions, data security, discovery, and tagging remain giant challenges for organizations. I’ve seen numerous data tagging project start, but rarely are they finished and well maintained.

Harmonic

Harmonic Logo

What’s the Problem? Most of the fright around AI adoption has to do with data storage, manipulation, and ultimately leakage. Data tagging has been a huge challenge for orgs, and the rapid adoption of LLMs has made that worse.

What they do: Like most of the other LLM security vendors, Harmonic helps gain visibility into LLM workflows and usage.

What makes them unique: Harmonic differs with their focus on using LLMs to help detect and map the flow of sensitive data. The team at Harmonic has a rich history in scanning the dark web for sensitive data, and they’re aiming to maximize the power of LLMs to bring this same approach to LLM security.

Why wouldn’t you use them? LLM security is still very new and developing very quickly. As of my last evaluation, there were some vendors with more support than them, but this field is changing so fast that might already be outdated!

Antimatter

Antimatter Logo

What’s the Problem? Everyone wants to do contextual data protection, but it is an incredible pain to anonymize and tag data in a way that it can still be used later. Often it requires either third party services or complex workflows.

What they do: Antimatter allows you to create encrypted chunks of your data along with metadata, enabling advanced control use cases, such as policies for reading or writing data, audit access logs, or protecting LLM RAG use cases.

What makes them unique: Antimatter manages to bridge the gap between traditional privacy APIs and local data cleanup services. Their approach of including metadata directly allows you to create highly tuned policies around how and by whom that data can get read or write

Why wouldn’t you use them? This stuff is super nerdy. While Antimatter makes it more approachable than some alternatives, it’s still tough to implement.

The Rad Ones

My favorite companies are those that are born out of community efforts that care about tackling important challenges in the ecosystem. Kubernetes security and vulnerability streams are two of those challenges.

Rad Security

Rad Security Logo

What’s the Problem? Kubernetes security is really hard and requires correlating a lot of logs across configuration and runtime environments. Furthermore, vendors need to be able to quickly adapt to an ever changing community.

What they do: Rad has combined just about every feature you could want in a solution highly focused on Kubernetes security. They provide everything from the posture scanning to runtime detection based on standardized baseline, even combining those features together to maximize their value.

What makes them unique: Rad is unique for combining runtime with configuration scanning and baselining, and their commitment to the Kubernetes security community. Their team has rich backgrounds across application security organizations, and while individual aspects of their tool may exist in other platforms on paper, their depth and breadth far exceeds larger CNAPP platforms.

Why wouldn’t you use them? I’ve gotten to the point where I highly recommend a specialized Kubernetes runtime solutions like Rad, ARMO, Upwind, Sweet and Oligo - each offers a unique flavor of solution to Kubernetes security that should be layered in with your CNAPP. That being said, many companies might feel they’re covered by their CNAPP provider (Most of the time, I don’t think so).

VulnCheck

VulnCheck Logo

What’s the Problem? The NVD is an essential part of the entire cybersecurity ecosystem that operates without enough funding, support, or good enough data. There is a desperate need for better upstream vulnerability data.

What they do: VulnCheck offers enriched vulnerability feeds that primarily increases the depth of exploit and PoC data. This is the key data that’s most needed in prioritization and remediation efforts.

What makes them unique: VulnCheck is born out of providing a necessary service to the community, providing hands on exploit data to better assess the severity of vulnerabilities.

Why wouldn’t you use them? Because VulnCheck doesn’t directly offer their own scanning, they’re the kind of service most companies will hope their upstream scanner is using to enrich their data, rather than using directly.

Latio List v1.13

• Added Bedrock Systems to Boundary Breakers and Container Runtime - an extremely nerdy level of security by providing a hypervisor for linux workloads

• Added Approov to Mobile - a runtime oriented approach to validating the security of an app before fetching sensitive data -

• Added Sternum to Container runtime - another nerdy level of container security, but focused on memory exploits and expanding into other CWEs

• Added Oligo to container vulnerability because somehow I only had them under container runtime and SCA before