Smallstep

With Autonomous systems, authentication happens once, but execution happens forever. ❌ The full recording of our webinar, Securing Autonomous Defense Systems with Hardware-Attested Device Identity, is now available on demand! In this session, J. Hunter Hawke and Josh Drake explored how autonomous systems, AI workloads, and machine-driven environments are reshaping modern security assumptions and why traditional identity models built around humans, passwords, and one-time authentication events are no longer enough. We covered: - Why the human-in-the-loop assumption no longer holds - The growing gap between authentication and execution - Why hardware-attested device identity becomes foundational in autonomous environments - How TPM and Secure Enclave-backed attestation strengthen trust enforcement - What autonomous defense and manufacturing systems mean for the future of security As autonomous platforms continue operating long after the original authentication event, organizations need a way to verify what is actually executing actions, not just who initiated them. 🎥 Watch the webinar on demand: https://hubs.ly/Q04h_T4z0 #Cybersecurity #AI #DeviceIdentity #AutonomousSystems #IdentitySecurity #DefenseTech

For the second year in a row, Smallstep is proud to sponsor Black Hat USA! 😎 Join us August 3rd–6th at Mandalay Bay in Las Vegas and stop by Booth 5111 near the AI Zone to see what’s next for device identity, phishing-resistant access, and securing AI-driven environments without relying on blind trust.✅ We’ll have interactive touchscreen demos at the booth so you can experience firsthand how hardware-attested device identity changes the way organizations secure access across devices, workloads, and modern infrastructure. We’re also hosting an exclusive MFA for AI theatre session at the booth, where we’ll break down why traditional identity models fall short for AI agents, autonomous systems, and non-human identities and what security teams need to do next. As AI agents and autonomous systems continue to reshape enterprise security, one thing is becoming clear: identity cannot stop at the user. Trust has to start at the device. See you in Vegas! 🎰 #BlackHatUSA #Cybersecurity #AI #DeviceIdentity #IdentitySecurity #MFA

This Memorial Day, we honor those who gave their lives in service to our country and reflect on the sacrifices made to protect the freedoms we often take for granted. Thank you to the service members, veterans, and military families whose courage and commitment continue to inspire us. Wishing everyone a safe and meaningful Memorial Day weekend. 🇺🇸 #MemorialDay #HonorAndRemember

We partnered with Jamf to solve a problem that has been hiding in plain sight. 🫣 Security teams have gotten very good at managing devices and very good at authenticating users, but there is still a gap between the two. Access is often granted based on credentials and posture signals, not on proof that the device itself is real, trusted, and company-owned. That gap is exactly where attackers win. Our partnership brings Jamf’s industry-leading Apple device management together with Smallstep’s hardware-attested device identity to close it. Now, access decisions are no longer based on assumptions. They are backed by cryptographic proof. 🔐 Verify that every device is real and hardware-backed before granting access ⚡ Automatically issue and rotate short-lived, device-bound certificates 🚫 Make stolen credentials useless without a trusted device 💻 Secure access across Wi-Fi, VPN, SSH, and applications without adding friction This is what it looks like when device management and device identity actually work together. 🤩 The result is simple: only trusted devices get access. Everything else is blocked (as it should be). 🙅♀️ Jamf just highlighted our exciting partnership in their Tech Partner Spotlight, and it is a great look at what this shift means for Apple-first organizations. Check it out here! 👉 https://hubs.ly/Q04hl8D00

Autonomous AI systems are already making decisions, executing actions, and interacting with real-world environments, and this is exactly where traditional security models begin to break down. Security has historically been built around the assumption that a human is always in the loop, but in modern defense environments, that assumption no longer holds true. Next week, on Tuesday, May 26th at 9am PT / 12pm ET, we go beyond theory and examine what is actually changing across AI and defense systems in real-world environments. We explore how platforms like Anthropic’s Mythos are shifting the core security question from who approved an action to what actually executed it, and why that distinction is becoming more critical than ever. ⚠️ We also look at how companies like Anduril approach device trust when systems are making real-world decisions without human involvement, and how that shift fundamentally changes long-standing security assumptions. We dive into manufacturing environments like Hadrian, where machines operate autonomously on the factory floor and trust must be continuously established, enforced, and verified. 🏭 Across all of these examples, a clear theme emerges. There is a growing gap between authorization and execution. Knowing who approved something is no longer sufficient; you must also verify what actually carried it out. When there is no human to authenticate, the focus shifts to understanding which signals truly matter and which ones can be trusted. 🔍 This is where hardware-attested device identity becomes foundational. It ensures that every action is tied to a verified, trusted device, not an assumption. 🔐 👉 Register here: https://hubs.ly/Q04fFTRG0

The Stryker incident is a clear reminder that attackers don’t need to break in anymore, they just log in. 🫠 There was no malware involved and no sophisticated exploit chain. Instead, a compromised credential was used through a trusted system, which ultimately led to tens of thousands of devices being wiped. What’s most concerning is how familiar this pattern has become. Across the industry, credential exfiltration continues to be one of the most effective attack paths. Credentials are phished, sessions are reused, and access appears completely legitimate because, from the system’s perspective, everything checks out. Most security models are still built around verifying the user, and once that box is checked, the request is trusted. The problem is that attackers don’t need to bypass authentication anymore, they simply inherit it. This is exactly where things break down. If a system cannot verify where a request is actually coming from, then any valid credential can be used from an untrusted environment without raising alarms. That is what made the Stryker incident possible, and it’s a gap that still exists in many environments today. 👉 Read the full breakdown and what could have prevented it: https://hubs.ly/Q04f8sBd0 #CyberSecurity #DeviceIdentity #ZeroTrust #Security #Smallstep

SCEP uses a shared secret to enroll devices, which means that any device with access to that secret can request a certificate and appear legitimate. That model may have worked in more controlled environments, but it does not hold up in modern infrastructure where credentials are constantly being exposed, reused, and replayed. The core issue is that a shared secret does not prove anything about the device itself. It does not verify where the request is coming from, and it cannot distinguish between a trusted device and an attacker using valid credentials. Once that secret is compromised, it can be used from anywhere without raising alarms. That is not device identity. It is simply access controlled by a password. Modern environments require a stronger foundation. They require proof that a key was generated on a real device, proof that the device is trusted, and proof that access is coming from the right place. That is the shift from shared secrets to hardware-backed identity. 👉 See how Smallstep replaces SCEP with real device identity: https://hubs.ly/Q04fk_gF0 #Smallstep #DeviceIdentity #ZeroTrust #SCEP #CyberSecurity

Your Wi-Fi security doesn’t stop at the office. ❌ It follows your team to coffee shops, airport lounges, and yes—even the sidelines of a kid’s volleyball game. And that’s where things get risky. Because once devices leave the controlled network, they’re connecting over open, shared, and often untrusted internet. At that point, a Wi-Fi password or a long-lived certificate isn’t much of a security boundary. If those credentials are reused, shared, or compromised, access can follow them anywhere. That’s the problem. Most Wi-Fi access today is based on trust at a moment in time, not on continuous verification of the device itself. Smallstep approaches this differently by treating Wi-Fi as an identity problem, not just a network problem. Instead of shared passwords or static credentials, devices authenticate using short-lived, hardware-backed certificates that are tied to a specific, verified device. This means: 🔐 No shared Wi-Fi passwords floating around 🧩 Access is tied to a real device, not just a config ⚙️ Credentials rotate automatically, so access doesn’t linger 🚫 If a device isn’t trusted, it simply can’t connect From a user’s perspective, nothing changes, they just connect, wherever they are. From a security perspective, you’re no longer trusting the network. You’re trusting the device. ✅ 👉 See how we secure Wi-Fi with device identity: https://hubs.ly/Q04f8l7f0 #Smallstep #DeviceIdentity #ZeroTrust #WiFi #CyberSecurity

🤖 MFA for AI starts here AI agents are quickly becoming the interface to your most sensitive systems. They call APIs. They access data. They take action. And increasingly… they’re doing it without a human in the loop. But here’s the problem: They don’t MFA. There’s no prompt to approve. No second factor to challenge. No moment to stop and verify intent. Once access is granted, it often persists and gets reused in ways you can’t easily see or control. So the question shifts: 👉 Can you trust the environment that agent is running in? That’s where Smallstep comes in. With hardware-backed device identity, Smallstep ensures agents only get credentials if they’re running in verified, trusted infrastructure. And with our integration with Keycard, you can go even further: 🔐 Smallstep proves where the agent is running ⚙️ Keycard governs what the agent is allowed to do Together, it’s a new model: MFA for AI without the prompts. Because when there’s no human in the loop, trust has to start with the device. 👉 Learn how we secure non-human identities and agent workflows: https://hubs.ly/Q04f8tbx0

Here’s the problem most security teams are still dealing with: You can verify the user, but you can’t actually verify the device. Most modern stacks rely on signals like posture checks, OS versions, enrollment status. Helpful, but still just signals. 👉 And signals can be replayed, proxied, or faked. So when a request comes in, the system says: “this looks like a trusted device” But it can’t actually prove it. That’s the gap. That’s why we built Smallstep’s Device Identity Platform—to move beyond signals and actually bind identity to real hardware using cryptographic attestation. Instead of asking a device to report on itself, you require it to prove itself: 🔐 Keys generated inside TPMs or Secure Enclaves 🧩 Certificates bound to a specific physical device ⚙️ Short-lived credentials that can’t be reused somewhere else Which means even if credentials are compromised… they can’t be used from an untrusted machine. That’s the difference between “this device looks okay” and “we know exactly what device this is.” 👉 See how it works: https://hubs.ly/Q04f8x8w0