The Palo Alto company that answers a deceptively simple question about your cloud: who did that, and should they have?
ABOVE: The mark of a company built by breach responders. Permiso's founders spent 25 years at FireEye and Mandiant watching attackers walk through the front door with valid credentials - then left to build the tool that would have caught them.
Here is the uncomfortable premise the entire cybersecurity industry has been slow to admit: most modern breaches don't involve kicking down a door. They involve someone - or something - walking in with a working key. A leaked API token. A phished password. A service account nobody remembered existed. The intrusion looks, to almost every security tool ever built, exactly like a normal login. That is the gap Permiso Security decided to live in.
Permiso is an identity security company. That phrase does a lot of quiet work, so let's unpack it. Your firewall watches the network. Your endpoint agent watches the laptop. Your cloud posture tool (CSPM, in the acronym-soup of the field) tells you which S3 bucket is embarrassingly public. All useful. None of them can tell you that the person logged into your AWS console at 3 a.m. is a threat actor wearing your DevOps engineer's credentials rather than the engineer working late. Answering that question - attribution, in the trade - turns out to be the whole game, and it's the thing Permiso built its platform around.
The founders came out of FireEye and Mandiant, the incident-response firms that get called after the worst has already happened. Co-CEOs Jason Martin and Paul Nguyen each spent roughly 25 years in the field; Phani Modali, the third co-founder, ran engineering and cloud security for about as long. When you spend a quarter-century cleaning up other people's breaches, you develop opinions about root causes. Their opinion, roughly: the tools were watching the wrong layer. So in 2020 they started a company to watch the right one.
Our mission is to turn cloud zeros into cloud heroes - to make it so a two-person security team can defend like a twenty-person one.
— Permiso Security, on why elite defense shouldn't require a Mandiant résuméPermiso's central idea is the Universal Identity Graph - a way of stitching thousands of scattered signals (logins, API calls, role assumptions, token grants) into a single, coherent picture of who each identity is and what it normally does. Once you have that baseline, deviation becomes visible. The token that usually calls three APIs from Ohio and is suddenly enumerating your entire environment from a data center in another hemisphere stops being noise and starts being an alert.
Crucially, "identity" here isn't just people. It's the sprawling, mostly-unwatched population of non-human identities - service accounts, keys, bots, CI/CD pipelines - that in a typical cloud environment outnumber humans by something like 45 to 1. And, as of 2026, it's AI agents: autonomous software that authenticates, calls tools, and touches data at machine speed. Permiso's bet is that every new kind of identity becomes a new attack surface faster than anyone is ready for.
The platform organizes itself around three verbs - Discover, Protect, Defend - spanning identity visibility, posture management (finding the stale and over-privileged accounts before an attacker does), and threat detection and response.
The core identity security platform - discover, protect, and defend identities across cloud and on-prem on one graph.
Identity Security Posture Management surfaces stale, orphaned, and over-privileged identities to shrink your attack surface.
Identity Threat Detection & Response catches takeover, credential abuse, and insider threats using behavioral analytics.
Identity Runtime Attribution extends detect-and-respond to autonomous AI agents across their full lifecycle.
Most security companies guard their detection logic like a family recipe. Permiso does something odder: its research arm, P0 Labs (a nod to "priority zero," the highest-severity incident class), publishes threat research on real cloud adversaries and then ships free, open-source tools to detect them. Ten of them, at last count.
CloudGrappler queries high-fidelity detections for known threat actors in AWS and Azure. YetiHunter hunts indicators of compromise in Snowflake - released, pointedly, after the wave of Snowflake data-theft campaigns that rattled the industry. There's also Cloud Console Cartographer, an Azure Activity Log tool, and SandyClaw, which sandboxes AI-agent skills and records every action to deliver a verdict.
The strategy is not charity, exactly. A rising tide of capable cloud defenders is good for the whole field, and the team that arms the community for free tends to be the team defenders trust with the paid platform. It's marketing that happens to also be a genuine contribution.
Detects well-known threat actors across AWS and Azure environments.
Finds indicators of compromise inside Snowflake environments.
Sandboxes AI-agent skills and records behavior at the LLM and OS level.
25+ years in cybersecurity; former EVP at FireEye/Mandiant. Spent a career on the response side before building the prevention side.
25+ years in security; former SVP at FireEye. Co-runs the company on the thesis that identity is the new perimeter.
25+ years in product development and cloud security, leading the engineering behind the Universal Identity Graph.
Permiso emerged from stealth in January 2022 with a $10M seed, then raised an $18.5M Series A led by Altimeter Capital in April 2024. Total reported funding sits around $57M across backers that include Point72 Ventures, Foundation Capital, 11.2 Capital, and Workbench.
| Round | Amount | Date | Lead / Investors |
|---|---|---|---|
| Seed | $10M | Jan 2022 | Point72 Ventures, Foundation Capital, 11.2 Capital, Workbench |
| Series A | $18.5M | Apr 2024 | Altimeter Capital (lead), Point72 Ventures |
Ex-FireEye/Mandiant leaders Jason Martin, Paul Nguyen, and Phani Modali start the company in Palo Alto.
Public launch backed by Point72 Ventures, Foundation Capital, 11.2 Capital, and Workbench.
Altimeter Capital leads the round; P0 Labs expands its open-source suite to ten tools.
Recognized at the 2025 SC Awards as the identity platform gains traction.
Launches Identity Runtime Attribution for AI agents with Autodesk, and wins Best ITDR Platform at the Cybersecurity Stars Awards.
Customers. Enterprise security and cloud teams, from mid-market up to the Fortune 500. Named users include Autodesk, Nutanix, ACV Auctions, Coupa, and Modern Health. Autodesk, notably, is using Permiso to secure the AI agents now running across its products and cloud infrastructure - a real-world test of the AI-identity thesis.
Competitors. Permiso sits in a busy, fast-moving neighborhood. Adjacent players include Wiz and CrowdStrike on the platform side, and specialists like Vectra AI, Obsidian Security, Mitiga, Oleria, and Push Security. Permiso's wager is that identity-first attribution is a distinct enough category to win on its own terms.
Permiso is an identity security company that discovers, protects, and defends human, non-human, and AI identities across cloud and on-prem environments, detecting account takeover, credential compromise, and insider threats.
It was founded around 2020 by Jason Martin and Paul Nguyen (Co-CEOs) and Phani Modali (SVP Engineering), all veterans of FireEye and Mandiant.
Permiso raised a $10M seed in 2022 and an $18.5M Series A led by Altimeter Capital in 2024, with total reported funding around $57M across investors.
Its P0 Labs research team has released ten free tools, including CloudGrappler for AWS/Azure threat detection and YetiHunter for Snowflake indicators of compromise.
Rather than flagging misconfigurations or aggregating logs, Permiso focuses on identity - attributing activity to specific human, machine, or AI identities and detecting when credentials are abused in real time.