BREAKING Smallstep named top-10 finalist at RSAC 2025 Innovation Sandbox Jamf partnership brings hardware-backed identity to enterprise Apple fleets $26M raised across seed and Series A ACME Device Attestation co-developed with Google at the IETF step-ca: the open-source private CA running inside thousands of orgs Founded 2016 in San Francisco by Mike Malone BREAKING Smallstep named top-10 finalist at RSAC 2025 Innovation Sandbox Jamf partnership brings hardware-backed identity to enterprise Apple fleets $26M raised across seed and Series A ACME Device Attestation co-developed with Google at the IETF step-ca: the open-source private CA running inside thousands of orgs Founded 2016 in San Francisco by Mike Malone
Company Dossier Cybersecurity · San Francisco Est. 2016
Smallstep logo
The Certificate People

Smallstep

The company that took the least-loved chore in security - running a certificate authority - and turned it into the world's first device identity platform.

A logo, a laptop, and one stubborn idea: that a password you can type is a password someone can steal. Photographed here as the mark that ships inside thousands of open-source deployments.

$26M
Total Raised
~29
Employees
2016
Founded
#10
RSAC 2025 Finalist
The Story

A very hard, very boring problem

Here is a fact that security vendors would rather you not dwell on: most breaches don't involve some cinematic zero-day. They involve a credential that was completely real, presented by an attacker who was not. The password worked. The token validated. The door opened for the wrong person. Smallstep's entire reason for existing is a wager that this is the problem worth solving, and that the solution is unglamorous - certificates, hardware attestation, key rotation, the plumbing beneath zero trust.

The company started in 2016 when Mike Malone, previously CTO at the gaming-infrastructure startup Betable, went looking for a way to secure machine-to-machine communication in distributed systems. What he found was that the cryptography was fine. TLS worked. The problem was that the machinery to issue, rotate and revoke certificates at scale was missing, so almost nobody did it properly. Certificates expired at 3 a.m. Private keys sat in git repos. The theory of a secure internet and the practice of one had quietly diverged.

So Smallstep did something that looks, in retrospect, either patient or reckless: it spent roughly six years building open-source tools and almost no revenue. That is a long time to be a venture-backed company mostly giving things away. It also turned out to be the whole strategy.

When security is easy, everyone wins.
— Smallstep's founding thesis, reduced to five words
What They Built

From a CLI to a platform

2018 · OPEN SOURCE

step-ca

A private certificate authority for X.509 and SSH, plus an ACME server. It let teams run their own TLS-everywhere infrastructure and single sign-on for SSH without a PhD in PKI. It quietly became one of the most-used open private CAs in the world.

2018 · OPEN SOURCE

step CLI

Described by its own community as a "zero-trust swiss army knife" - a command-line tool for X.509 certificates, OAuth, JWT and OATH OTP. The Trojan horse: engineers adopted it for small tasks and stayed for the whole toolchain.

2023 · COMMERCIAL

Device Identity Platform

The paid product. It issues hardware-backed device certificates and enforces policy-driven access to Wi-Fi, VPNs, SaaS apps and SSH - across Apple, Android, Windows and Linux fleets. Billed as the first of its kind.

2023 · STANDARD

ACME Device Attestation

Co-developed with Google at the IETF. It uses the security chip inside a device to prove that device is real, then binds credentials to that hardware. A stolen key becomes useless off the machine it was minted on. Positioned as the successor to the aging SCEP.

4
Operating Systems Covered
2
Funding Rounds
1
IETF Standard w/ Google
SOC
Compliance Maintained
Why It's Different

The password is the liability

Most access-control products ask a version of the same question - "do you know the secret?" A password, a one-time code, a bearer token. The trouble with secrets is that they travel. They get phished, copied, leaked and replayed, and the system on the other end has no way to tell a legitimate holder from a thief. Smallstep's argument is that you should ask a different question entirely: "are you the specific piece of hardware I trust?"

That is what hardware attestation buys you. The credential isn't a string a human types; it's bound to a co-processor soldered into a particular laptop or phone, and it can't be lifted off that device. A phisher can trick a person, but they can't hand over a chip. It is a subtle shift - from proving knowledge to proving physical identity - and it happens to close the exact gap that most breaches drive through.

Cool authorization product, but we don't have authentication yet.
— A customer's shrug that redirected the whole company toward certificates
What You Can Do With It

In practice

You want to…Smallstep gives you
Run your own CAstep-ca: a private, lightweight certificate authority you can stand up in minutes and scale horizontally for high availability.
Use TLS everywhereAutomated, short-lived certificates for services, VMs and containers on AWS, GCP and Azure - no more 3 a.m. expirations.
Secure SSHSingle sign-on for SSH with short-lived certificates tied to your identity provider and hardware-bound device certificates.
Lock down Wi-Fi, VPN & SaaSPolicy-driven access that only opens for verified, attested devices - not just anyone holding a password.
Manage an Apple fleetHardware-backed identity for every managed device via the Jamf partnership and ACME Device Attestation.
The Timeline

How they got here

2016

Smallstep founded

Mike Malone, ex-CTO of Betable, sets out to solve identity for distributed systems.

2018

step & step-ca released

The open-source CLI and private certificate authority ship and start spreading across the developer world.

2019

$7M seed round

boldstart ventures leads, with Accel, Bain Capital Ventures and Upside Partnership.

2022

$19M Series A

StepStone Group leads, pushing total funding to $26M and sharpening the zero-trust focus.

2023

Device Identity Platform & ACME DA

Smallstep commercializes its toolchain and launches hardware attestation co-built with Google.

2025

RSAC finalist & Jamf partnership

Named a top-10 RSAC Innovation Sandbox finalist; teams with Jamf for hardware-backed Apple identity.

People & Backers

Who's behind it

Mike Malone — Founder & CEO

A distributed-systems enthusiast and former CTO of Betable, and a published author in cybersecurity policy. He's the through-line: the person who decided the missing piece of secure infrastructure was certificate management, then spent years proving it in the open.

A developer-first team

Roughly 29 people, with alumni of Let's Encrypt (ISRG), Sauce Labs, Kenna Security (Cisco), Pivotal and Dell EMC. Leadership includes a CTO, VP of Engineering, CRO and head of operations - small, technical, open-source-native.

The investors

$26M from StepStone Group (Series A lead), boldstart ventures (seed lead), Accel, Bain Capital Ventures and Upside Partnership. Bain's public thesis: someone should finally take the headache out of certificate management.

The partners

Google, on the ACME Device Attestation standard at the IETF; Jamf, on hardware-backed identity for Apple fleets; and Okta, for identity and device-inventory integration.

Watch & Listen

Interviews & demos

Founder conversations and product context from around the web. Search links open to the most relevant results.

Questions

Frequently asked

What does Smallstep do?

Smallstep provides device identity and certificate management. It offers the open-source step-ca certificate authority and a commercial platform that binds access to Wi-Fi, VPNs, SaaS apps and SSH to verified hardware.

Who founded Smallstep and when?

Mike Malone founded Smallstep in 2016. He was previously CTO at Betable and leads the company as CEO.

What is ACME Device Attestation?

A standard Smallstep co-developed with Google at the IETF. It uses hardware co-processors to attest a device's identity and bind credentials to hardware, preventing exfiltration, phishing and impersonation. It's positioned as an upgrade to the older SCEP protocol.

How much funding has Smallstep raised?

$26M total: a $7M seed round and a $19M Series A led by StepStone Group in April 2022.

Is Smallstep open source?

Yes. Its core tools - step-ca and the step CLI - are open source and widely used, while the commercial Device Identity Platform adds a hosted CA, attestation, policy enforcement and support.

Find Smallstep

Links & sources

Website GitHub LinkedIn Twitter / X Facebook Docker Hub Blog Crunchbase
zero trustcertificate managementpkidevice identity acme device attestationmtlssshstep-ca hardware attestationopen sourcex509cybersecurity
Share

Pass it on

in · LinkedIn X · Post f · Facebook Instagram

The unglamorous bet

Smallstep is wagering that the future of enterprise access has fewer passwords and more proof - that trust should be bound to hardware you can verify, not secrets anyone can steal. It spent six years building the boring, load-bearing part in the open. Now it's selling the confidence that comes with it.