He runs the company teaching enterprises to secure the identities no one is watching - the machines, the tokens, and now the AI agents.
ITAMAR APELBLAT
Walk into almost any large company today and count the accounts logging in. Most of them are not people.
They are service accounts, API keys, cloud workloads, database connections, and, increasingly, autonomous AI agents. These non-human identities now vastly outnumber human employees, and for years almost nobody was securing them the way they secured people. Itamar Apelblat wants to change that. As co-founder and CEO of Token Security, he leads a company built around a single, uncomfortable observation: while enterprises spent a decade locking down human logins with multi-factor authentication and single sign-on, the machines were left with standing credentials and no one to answer for them.
"Hackers don't break in; they log in," Apelblat says. It is his shorthand for a shift that has redrawn the security map. Attackers rarely need to smash through a firewall when a forgotten token or an over-privileged service account will quietly let them in the front door. "Enterprises have done a good job securing human identities with things like multi-factor authentication," he adds, "but automated systems are different."
That difference is the whole business. Token Security's platform sets out to discover every non-human identity across an organization's cloud and on-prem systems, work out who owns each one and what it actually does, rank the risky ones, and then help teams shut down or right-size access without breaking the automation that keeps the company running. The pitch is deceptively simple. The execution is the hard part, because the sprawl is enormous and invisible.
The idea did not arrive as a slide in a pitch deck. It arrived as a problem Apelblat could not stop thinking about. At a previous job he came across an outdated service account created for contractors that still carried full access to the organization's systems long after anyone remembered making it. Nobody was watching it. Nobody would have noticed if an attacker had used it. That forgotten account became the seed of a company.
Hackers don't break in; they log in. Enterprises secured human identities with things like multi-factor authentication - but automated systems are different.
The math behind Token Security is blunt. As cloud-native architectures and agentic AI spread, the count of non-human identities inside a typical enterprise has raced far ahead of the human headcount - and most of them were never governed the way people are.
Illustrative. Industry estimates commonly put non-human identities at tens of times the number of human users; exact ratios vary by organization.
Apelblat did not build Token Security alone. He founded it in 2023 with Ido Shlomo, now the company's CTO, a partner he had known for roughly sixteen years since their time in Israel's Unit 8200, the country's elite military intelligence outfit. Their roles there mirrored the two halves of the problem they would later attack together. Apelblat worked the defensive side, collaborating directly with the IDF's chief information security officer. Shlomo worked offense, training professional hackers.
That split - one person who spent years thinking about how to keep systems safe, one who spent years thinking about how to break them - gives the company a useful symmetry. During their service the two had already seen how compromised machine-to-machine communication could open doors that no human ever walked through. The company is, in a sense, the commercial version of a conversation they had been having for over a decade.
Apelblat is a second-time founder. Before Token Security he co-founded and served as CTO of Fibo, a fintech startup, and he studied at Reichman University. More than fifteen years in cybersecurity sit behind the current venture, and it shows in how narrowly the company defines its target. This is not a broad platform trying to do everything. It is a bet on one specific, growing gap.
The gap keeps widening in one direction in particular: AI agents. As companies rush to deploy autonomous software that can act, decide, and access systems on its own, Apelblat frames the challenge in familiar terms. Agents, he says, are "just another type of workforce that we need to protect" - but one that demands different thinking. An agent can be spun up in seconds, granted access, and left running with no clear owner and no clear boundary on what it is allowed to do.
Token Security's answer leans on what the company calls intent-based access management: tying an identity not just to a set of static permissions but to what it is actually supposed to be doing. It is the leash in the company's own phrasing - give every agent an identity, then keep it on a tether. That positioning has put Apelblat and Shlomo in front of the industry, including a spotlight at the RSAC Conference Innovation Sandbox, the security world's most-watched stage for early companies.
"Hackers don't break in; they log in."
"Enterprises have done a good job securing human identities - but automated systems are different."
"AI agents are just another type of workforce that we need to protect."
Token Security emerged from stealth in May 2024 with $7 million in seed funding led by TLV Partners, with backing from SNR and angels including Shlomo Kramer, the serial founder behind Check Point, Imperva, and Cato Networks. Eight months later, in January 2025, the company raised a $20 million Series A led by Notable Capital, bringing publicly reported total funding to at least $27 million. Executives from Palo Alto Networks, CrowdStrike, Check Point, and Venafi joined the round, along with cyber veterans such as Kevin Mahaffey, founder of Lookout.
The raise came with a move. Within a month of closing, Apelblat relocated from Israel to the United States, shifting the company's center of gravity to New York and closer to the enterprise customers - names like HPE and HiBob - that adopt this kind of security first. It was a fast, deliberate step for a company that had only just stepped out of stealth, and a sign of where Apelblat believes the market for securing the machine-first, AI-agent era is being decided.
A two-time founder - Token Security followed his earlier fintech venture, Fibo.
His co-founding partnership traces back roughly sixteen years to shared service in Unit 8200.
The investor roster reads like a cyber hall of fame, including the founders of Lookout and Cato Networks.
The whole company started from one forgotten service account with the keys to everything.
He is the co-founder and CEO of Token Security, a cybersecurity company that secures non-human identities such as service accounts, workloads, and AI agents. He previously served in Israel's Unit 8200 and co-founded the fintech startup Fibo.
Token Security is a non-human identity (NHI) security platform founded in 2023 that helps enterprises discover, govern, and secure the machine identities and AI agents that now outnumber human users.
A $7M seed round in May 2024 led by TLV Partners and a $20M Series A in January 2025 led by Notable Capital, bringing publicly reported total funding to at least $27M.
Founded in Israel, Token Security relocated its headquarters to New York following its January 2025 Series A.
Ido Shlomo, who serves as CTO. The two met in Unit 8200, where Apelblat focused on defense and Shlomo on offensive security.