The company that stopped saying "no" to employees - and started nudging them toward safer choices.
Every day, in every company, employees make small technology decisions. A free trial here. A new AI assistant there. An OAuth "Sign in with Google" click that quietly hands a third party the keys. Multiply that by a workforce, and you get the modern security problem: an attack surface built one well-meaning shortcut at a time.
Nudge Security was built for exactly that gap. Founded in 2021 in Austin, Texas, the company discovers and governs the sprawl of SaaS and AI applications that employees adopt - often without IT's knowledge - and then does something most security tools refuse to do: it treats the workforce as an ally rather than a liability. Instead of blocking apps, it sends a "nudge," a short, contextual message delivered through the browser, Slack, or Teams that guides the employee toward the safer path while letting them keep working.
The idea comes straight out of behavioral science. A nudge, in the academic sense, steers people toward better choices without taking their freedom to choose away. Applied to security, it is a quiet rebuke to a decade of tools that tried to lock everything down and mostly succeeded in teaching employees to route around them. "Nudge Security delivers visibility and governance at the Workforce Edge," the company says of itself - the edge being that messy, decentralized frontier where thousands of technology decisions get made every day, far from any central IT gatekeeper.
The two co-founders are not newcomers. Russell Spitler, the CEO, spent more than fifteen years in cybersecurity, leading product and strategy at AT&T Cybersecurity, AlienVault, and Fortify Software. Jaime Blasco, the CTO, is a well-known security researcher who ran AT&T Alien Labs, the company's threat-intelligence unit. Together, before Nudge, they helped build the Open Threat Exchange - described as the world's largest open threat-intelligence community. That pedigree matters: the pair spent years watching how attackers exploit organizations, and concluded that the softest target was rarely the firewall. It was the gap between what employees do and what security teams can see.
Nudge Security's customers are the security, IT, and governance-risk-compliance teams at mid-market and enterprise organizations - the people who inherit responsibility for tools they never bought. As of late 2025 the company counted nearly 200 customers, among them Reddit, whose security chief has spoken publicly in support of the product. Across its base, the platform has discovered more than 70,000 unique SaaS applications, a number that says as much about the scale of shadow IT as it does about the company's reach.
The core problem is visibility. You cannot secure what you cannot see, and most organizations have no reliable inventory of the apps, accounts, tenants, and integrations their people have created. Nudge Security starts there, detecting new SaaS and AI accounts as soon as they appear - what the company calls Day One discovery - without requiring an agent on every laptop or a VPN in the path. From that inventory flow the harder problems: which OAuth grants are risky, which accounts belong to employees who left months ago, which vendors just disclosed a breach, and, increasingly, which AI tools and agents are quietly ingesting company data.
That last category - shadow AI - has become the company's sharpest talking point, and for good reason. If shadow IT crept in over a decade, shadow AI arrived in a matter of quarters. Every employee with a browser can spin up an AI assistant, connect it to corporate email, and grant it standing permissions, all before lunch. Nudge Security's pitch is that the same discovery-and-nudge engine it built for SaaS maps cleanly onto AI: find the tools, score the risk, and reach the person who made the decision with guidance rather than a denial.
The company frames this as human-centric security, and the framing is more than marketing. Traditional controls assume the employee is the weakest link and design accordingly - blocking, restricting, and generating friction. Nudge inverts the assumption. If you give people timely, relevant information at the moment they are making a choice, the argument goes, most of them will make the safer one. The platform's playbooks and self-service app directory extend the same logic: let employees request access through a sanctioned path instead of going around IT entirely.
Nudge Security bundles what once required a stack of separate tools - discovery, posture management, identity governance, third-party risk, and spend - into a single self-service platform that deploys in minutes.
Finds every app, account, tenant, AI tool, agent, and integration ever created - detecting shadow IT and shadow AI on Day One. No agent, no VPN.
Continuously monitors misconfigurations and identity risks in critical apps like Microsoft 365, Google Workspace, Okta, Salesforce, and Snowflake.
Streamlines SSO onboarding, automates access reviews, and closes every account a departing employee ever touched.
Security profiles for 200,000+ vendors and alerts for breaches affecting third- and fourth-party providers.
Scores risky OAuth grants and enables two-click revocation of the permissions employees hand out.
Analyzes up to two years of historical SaaS spend to surface waste, redundant apps, and inactive accounts.
Guides employees via browser, Slack, Teams, and email without blocking - plus automated playbooks for offboarding and reviews.
Deploys in minutes through a lightweight integration. SSO, RBAC, and API access included at no extra cost.
From a $7M seed in 2022 to a $22.5M Series A in November 2025, Nudge Security has raised roughly $39M. Cerberus Ventures led the latest round, with Ballistic Ventures, Forgepoint Capital, and Squadra Ventures returning.
Bars show round size; 2024 reflects cumulative seed funding after the Forgepoint extension.
SaaS security posture management is not an empty field. Nudge Security competes with standalone SSPM vendors such as AppOmni, Obsidian Security, and CrowdStrike Shield (formerly Adaptive Shield), and with a wave of SaaS-security peers including Valence Security, Wing Security, Grip Security, Push Security, DoControl, and Lumos. Many of those tools lead with configuration monitoring and automated remediation for a defined set of sanctioned apps.
Nudge Security's differentiation is its starting point. Rather than beginning with a list of approved applications to harden, it begins with discovery - agentless, organization-wide, and reaching into the long tail of apps nobody sanctioned. Layered on top is the behavioral engine: the nudges, playbooks, and self-service directory that engage employees directly. Critics note that a discovery-first, engagement-first design can trade away some of the deep, continuous configuration enforcement that dedicated SSPM tools emphasize. Nudge's answer has been to add SSPM capabilities over time while keeping the workforce, not the app catalog, at the center of the model.
The business model reinforces the positioning. Nudge sells a B2B SaaS subscription with a genuine free trial and enterprise features included by default, betting that a product a security team can turn on in minutes will spread faster than one that needs a procurement cycle to justify. That product-led motion, the company says, helped drive 3x annual-recurring-revenue growth two years running.
Russell Spitler and Jaime Blasco reunite to build a security company for the decentralized, SaaS-first workforce.
Ballistic Ventures leads the seed round; the discovery-and-governance platform launches in October.
Forgepoint Capital joins the syndicate, bringing seed funding to $16.5M, as the platform adds SSPM capabilities.
Cerberus Ventures leads a Series A to accelerate workforce AI and SaaS governance; Morgan Mahlock joins the board. Customer count nears 200.
It discovers and governs the SaaS and AI applications employees adopt - covering shadow IT, security posture, identity governance, third-party risk, and spend - and nudges employees toward safer choices without blocking them.
It was founded in 2021 by Russell Spitler (CEO) and Jaime Blasco (CTO), who previously built the Open Threat Exchange and worked together at AT&T Cybersecurity.
Roughly $39M total: a $7M seed (later extended to $16.5M) and a $22.5M Series A led by Cerberus Ventures in November 2025.
It leads with agentless Day One discovery of all apps and AI tools and uses behavioral nudges delivered through the browser, Slack, and Teams, rather than relying only on blocking or configuration policies.
It deploys in minutes through a lightweight integration with no agent or VPN, works across all devices, and offers a free trial with enterprise features like SSO and API access included.