The perimeter moved to a corporate credit card, and Russell Spitler noticed first
Russell Spitler runs a company called Nudge Security, out of Austin, Texas, that does something small and increasingly urgent. It watches which SaaS apps and AI tools your employees sign up for using their work email, catalogs those apps, flags the risky ones, and sends the employee a polite message suggesting a better choice. The polite message is the product. The company has raised about $39 million to make sure the polite message arrives at the right moment.
This is, on paper, a governance product. In practice, it is a bet that the security perimeter of a modern company is no longer a firewall or an endpoint or even a login page. It is a credit card statement. The finance team already knows this. Security is catching up. Spitler is selling the map.
He and his co-founder Jaime Blasco - Nudge's CTO, and a longtime collaborator from AlienVault - launched the company publicly in October 2022. Since then Nudge has doubled its team from around twenty to closer to fifty, tripled its ARR two years running, and signed roughly two hundred customers across finance, biotech, healthcare, and entertainment. In November 2025, Cerberus Ventures led a $22.5 million Series A, bringing Ballistic Ventures, Forgepoint Capital, and Squadra Ventures along. Morgan Mahlock, of Cerberus, joined the board.
The framing Spitler has settled on for the moment is that the difference between an AI app and a SaaS app has evaporated. Every SaaS tool has an AI feature. Every AI tool ships with SaaS-style integrations, OAuth grants, and non-human identities that read your calendar, your Drive, and your Slack. Governing "AI" in isolation is, in his telling, an accounting fiction. You have to govern the whole surface.
That surface is enormous, growing, and mostly invisible. This is why Nudge exists.
Four security categories, on the ground floor of each one
Before Nudge, Spitler spent about fifteen years learning what does and does not sell inside enterprise security. He started at Fortify Software, one of the companies that effectively invented the application security category - the market Gartner now measures in the tens of billions. He was in product. He watched a category get built from nothing.
He then moved to AlienVault, where he ran product management, product strategy, and eventually held the SVP of Product title. AlienVault's play was a full-stack detection and response product priced for the mass market. It worked. During Spitler's tenure the company crossed thousands of commercial customers and tens of thousands of open source users. In 2012, he and Jaime Blasco co-founded the Open Threat Exchange - OTX - which is now one of the largest open threat intelligence communities in the world, with somewhere north of 180,000 participants depending on which year's number you use.
In 2018 AT&T acquired AlienVault. Spitler stayed on as VP of Products and Strategy at AT&T Cybersecurity, one of the five largest managed security service providers on the planet at the time. Big org, big responsibility, big customer base. He left to build something small on purpose.
Nudge is the result. It is a company built by a two-time product operator who has watched what happens when security tooling scales past the point where humans can be reasoned with, and who has, apparently, concluded that the fix is behavioral.
Discovery, then a nudge - in that order
Nudge Security's technical premise is that you can identify almost every SaaS or AI app an employee has signed up for by watching the signup email land in the corporate mailbox. Every SaaS free trial sends a confirmation. Every OAuth grant leaves an audit trail. Every "You joined a workspace" notification is, from Nudge's point of view, telemetry.
From there the product builds a full SaaS inventory: which app, which employee, which integrations, which permissions, which OAuth grants, which non-human identities, which last-used date. Then it applies the behavioral layer. Instead of blocking the app - the old shadow-IT playbook, which does not work and has never worked - Nudge sends the employee a message. Sometimes it is a request to justify the tool. Sometimes it is a recommendation to switch to the sanctioned equivalent. Sometimes it is an offboarding reminder when the employee leaves.
The bet on behavior over blocking is not new in security research. It is new as a shipping enterprise product.
A quiet operator, running a loud category
Spitler is not the type of founder who lives on the timeline. His public writing runs in Dark Reading, the AT&T Cybersecurity blog, and Forbes' Technology Council column - venues that are read by CISOs and no one else. His LinkedIn posts about Nudge tend to mention Jaime Blasco twice. The company's press quotes come with the ARR numbers attached but no chest-beating on top.
Everyone who has worked with him describes an operator: product-first, long-horizon, understated. This is the profile you want in the CEO of a security company. The category is full of people selling fear. Spitler is selling counts.
Why shadow AI is the same problem, times ten
The pitch to Cerberus, roughly reconstructed from the funding announcement, is that generative AI has done to enterprise IT what free-trial SaaS did a decade earlier, except faster and with far more sensitive data flowing outbound. An employee who spins up a paid ChatGPT workspace on a company card is not, in Nudge's frame, doing something categorically new. She is doing shadow IT with better UX and a bigger blast radius.
The old response - policy the tool out of existence - fails on contact with the actual workforce. The new response, Spitler argues, is to discover the tool the moment it appears, understand the integrations it opens, and route the employee toward a sanctioned equivalent without turning security into the department of no.
If he is right, "SaaS security posture management" and "AI governance" are the same market, and the winner needs the discovery layer more than the policy layer. Nudge has spent three years building the discovery layer.
- The schoolColby College, a small liberal-arts college in Waterville, Maine. BA, Computer Science.
- The partnershipHe and Jaime Blasco have now co-founded two things together: the Open Threat Exchange, and Nudge Security.
- The geographyNudge is headquartered in Austin. Spitler lists his personal base as New York.
- The four categoriesFortify (appsec), OTX (threat intel), AlienVault/AT&T (MSSP-scale XDR), Nudge (SSPM/AI governance). Ground floor of each.