The IT admin opens a spreadsheet. 312 apps. 47 of them speak SAML.
Somewhere in a finance department right now, a contractor is being offboarded. HR clicks a button. Okta does its thing across the 47 federated apps. The other 265 - the social handles, the legacy invoice tool, the obscure SaaS the marketing team adopted at SXSW two years ago - those stay behind. Open. Logged in. Forgotten.
That gap is Cerby's entire business.
The Alameda-based company sells what it calls "identity security automation" - software that reaches into the apps traditional identity providers cannot see, and does the work an enterprise security team is supposed to do but does not have the headcount to do. Rotate the password. Revoke the session. Enforce MFA on the tool that was never designed for MFA. Cerby calls this the "last mile" of identity. Everyone else in the industry calls it the headache.
SAML covered the easy half. Everyone agreed to ignore the rest.
For two decades the identity industry built itself around a comforting fiction: that enterprise applications would, eventually, all support the same standards. SAML, SCIM, OIDC. Federated login. Provisioning APIs. Sign here, deprovision there, audit everything in between.
The fiction held up for the apps the IT department actually bought. It fell apart everywhere else.
Marketing teams adopted TikTok Business and a brand monitoring tool. Finance signed up for a niche reconciliation app. Sales rotated through a half-dozen prospecting tools per quarter. None of these apps - the ones that actually move the business - support enterprise identity standards. And so the credentials lived in shared password managers, sticky notes, Notion docs labeled "do not share."
Ponemon Institute eventually put a number on the pain: 52% of organizations had experienced an incident tied to nonstandard apps. The average cost of manually onboarding and offboarding one employee across those apps came in around $1,000 per head. Multiply that by attrition, multiply that by every SaaS subscription marketing forgot to mention.
This was not a corner case. This was the majority of the SaaS stack.
Three engineers from a video-streaming company decided to fix identity.
Cerby was founded in September 2020 by Belsasar "Bel" Lepe, Vidal Gonzalez, and Jyri Virkki. The three had worked together at Ooyala, the video infrastructure company, and then again at Wizeline. They were not, strictly speaking, identity people. They were infrastructure people who had spent years watching marketing teams adopt tools that drove security teams to distraction.
Founders' pedigree, in three lines
- Bel Lepe - CEO. Ex-Google. Co-founded Ooyala. The one who talks to investors.
- Vidal Gonzalez - CTO. Engineering lead at Ooyala and Wizeline. The one who draws the architecture diagrams.
- Jyri Virkki - Chief Architect. Veteran systems engineer. The one who reads RFCs for fun.
Their bet was deceptively unsexy. They would not invent a new identity standard. They would not try to convince TikTok to suddenly support SCIM. They would build a layer of automation - robotic process automation, then machine learning, then agentic AI - that would do the work a human admin would otherwise have to do, app by app, click by click.
Investors found this interesting enough to write checks. Bowery Capital and Ridge Ventures led an early seed in 2021. Two Sigma Ventures led a $17M Series A in 2023, with Okta Ventures and Salesforce Ventures along for the ride. By May 2025 the company had closed a $40M Series B led by DTCP, then extended it to $54M total four months later when Deloitte Ventures, Valor Equity Partners, and others showed up uninvited and asked to be let in.
The Cerby platform, explained without the buzzwords (mostly).
What Cerby actually sells is a platform that sits next to Okta, Azure AD, Ping, and the other major identity providers. When a new hire joins, Cerby provisions their nonstandard accounts. When they leave, Cerby revokes them. In between, it rotates credentials, enforces MFA where the underlying app does not natively support it, and writes everything to an audit log so the compliance team can sleep.
The catalog of supported apps - what Cerby calls the Cerby Application Network - has crossed 2,000. The most recent funding will, in the company's words, "extend agentic AI capabilities" across that network, which is the 2026 way of saying: the bots will get smarter.
The interesting design choice is that Cerby does not try to be the identity provider. It defers to whatever Okta, Microsoft Entra, or Ping is already in place. That is the only honest way to sell into a Fortune 500 IT department - acknowledge that the IdP decision was made four CIOs ago, and is not getting unmade for a startup.
A small company history, told in receipts
L'Oreal. Fox. Allstate. Chime. Dentsu.
The customer list is the answer to the question every Series B identity startup eventually has to answer: who actually buys this?
Cerby has named L'Oreal, Fox, Allstate, Chime, and Dentsu publicly, alongside more than 100 other organizations. The pattern is consistent - large enterprises with sprawling marketing or operational footprints, where the nonstandard app problem is not a footnote but a major source of audit findings.
The investor list reads similarly. DTCP led the Series B. Okta Ventures and Salesforce Ventures both expanded their stakes - notable because both companies sell identity products of their own and could, theoretically, build what Cerby builds. Instead they invested. That is either a vote of confidence or a hedge. Probably both.
"No app left behind" - the slogan that does most of the work.
Cerby's stated mission is to eliminate the operational burden and security risk created by manual identity workflows. Said less politely: stop making humans do robot work, especially when the robots they bought already cost six figures a year.
The phrase the company keeps returning to - in pitch decks, in blog posts, in the founders' LinkedIn essays - is "no app left behind." It is a useful slogan because it captures what the larger identity industry has implicitly conceded for years. Some apps were always going to be left behind. The federated ones got the love. The rest got password managers and good wishes.
Cerby's argument is that "the rest" is now most of the stack. And if security is only as strong as the weakest credential, then leaving 90% of the apps unmanaged is the same as leaving the front door open.
Agentic AI eats the password reset ticket.
The thing Cerby will spend its Series B on, according to its own announcement, is agentic AI. The vision: software agents that handle identity tasks autonomously across the long tail of apps, learning each app's quirks without a human having to write a custom integration for every one.
If this works the way Cerby thinks it will, the implication is interesting. The 2,000-app catalog stops being a catalog and starts being a baseline. Any new SaaS tool a marketing team adopts gets automatically integrated, automatically governed, automatically deprovisioned when the contractor's contract ends. The shadow IT problem does not get smaller. It gets absorbed.
It is also, quietly, a bet on a specific theory of how enterprise software evolves. Cerby is not betting that standards will eventually win. It is betting they never will. That the long tail of SaaS is permanent, and the value lies in managing it, not waiting for it to clean itself up.
Same IT admin. Same spreadsheet. Different ending.
Back to the contractor being offboarded. HR clicks the button. Okta handles the federated 47. And then - this is the part that did not exist five years ago - Cerby handles the other 265. The social handles, the legacy invoice tool, the obscure SaaS from SXSW. Sessions revoked. Passwords rotated. Audit log written. The contractor is gone from the system the way an ex is supposed to be gone from your phone. Cleanly.
The spreadsheet, mercifully, can be closed.