The company that took the least-loved chore in security - running a certificate authority - and turned it into the world's first device identity platform.
A logo, a laptop, and one stubborn idea: that a password you can type is a password someone can steal. Photographed here as the mark that ships inside thousands of open-source deployments.
Here is a fact that security vendors would rather you not dwell on: most breaches don't involve some cinematic zero-day. They involve a credential that was completely real, presented by an attacker who was not. The password worked. The token validated. The door opened for the wrong person. Smallstep's entire reason for existing is a wager that this is the problem worth solving, and that the solution is unglamorous - certificates, hardware attestation, key rotation, the plumbing beneath zero trust.
The company started in 2016 when Mike Malone, previously CTO at the gaming-infrastructure startup Betable, went looking for a way to secure machine-to-machine communication in distributed systems. What he found was that the cryptography was fine. TLS worked. The problem was that the machinery to issue, rotate and revoke certificates at scale was missing, so almost nobody did it properly. Certificates expired at 3 a.m. Private keys sat in git repos. The theory of a secure internet and the practice of one had quietly diverged.
So Smallstep did something that looks, in retrospect, either patient or reckless: it spent roughly six years building open-source tools and almost no revenue. That is a long time to be a venture-backed company mostly giving things away. It also turned out to be the whole strategy.
When security is easy, everyone wins.— Smallstep's founding thesis, reduced to five words
A private certificate authority for X.509 and SSH, plus an ACME server. It let teams run their own TLS-everywhere infrastructure and single sign-on for SSH without a PhD in PKI. It quietly became one of the most-used open private CAs in the world.
Described by its own community as a "zero-trust swiss army knife" - a command-line tool for X.509 certificates, OAuth, JWT and OATH OTP. The Trojan horse: engineers adopted it for small tasks and stayed for the whole toolchain.
The paid product. It issues hardware-backed device certificates and enforces policy-driven access to Wi-Fi, VPNs, SaaS apps and SSH - across Apple, Android, Windows and Linux fleets. Billed as the first of its kind.
Co-developed with Google at the IETF. It uses the security chip inside a device to prove that device is real, then binds credentials to that hardware. A stolen key becomes useless off the machine it was minted on. Positioned as the successor to the aging SCEP.
Most access-control products ask a version of the same question - "do you know the secret?" A password, a one-time code, a bearer token. The trouble with secrets is that they travel. They get phished, copied, leaked and replayed, and the system on the other end has no way to tell a legitimate holder from a thief. Smallstep's argument is that you should ask a different question entirely: "are you the specific piece of hardware I trust?"
That is what hardware attestation buys you. The credential isn't a string a human types; it's bound to a co-processor soldered into a particular laptop or phone, and it can't be lifted off that device. A phisher can trick a person, but they can't hand over a chip. It is a subtle shift - from proving knowledge to proving physical identity - and it happens to close the exact gap that most breaches drive through.
Cool authorization product, but we don't have authentication yet.— A customer's shrug that redirected the whole company toward certificates
| You want to… | Smallstep gives you |
|---|---|
| Run your own CA | step-ca: a private, lightweight certificate authority you can stand up in minutes and scale horizontally for high availability. |
| Use TLS everywhere | Automated, short-lived certificates for services, VMs and containers on AWS, GCP and Azure - no more 3 a.m. expirations. |
| Secure SSH | Single sign-on for SSH with short-lived certificates tied to your identity provider and hardware-bound device certificates. |
| Lock down Wi-Fi, VPN & SaaS | Policy-driven access that only opens for verified, attested devices - not just anyone holding a password. |
| Manage an Apple fleet | Hardware-backed identity for every managed device via the Jamf partnership and ACME Device Attestation. |
Mike Malone, ex-CTO of Betable, sets out to solve identity for distributed systems.
The open-source CLI and private certificate authority ship and start spreading across the developer world.
boldstart ventures leads, with Accel, Bain Capital Ventures and Upside Partnership.
StepStone Group leads, pushing total funding to $26M and sharpening the zero-trust focus.
Smallstep commercializes its toolchain and launches hardware attestation co-built with Google.
Named a top-10 RSAC Innovation Sandbox finalist; teams with Jamf for hardware-backed Apple identity.
A distributed-systems enthusiast and former CTO of Betable, and a published author in cybersecurity policy. He's the through-line: the person who decided the missing piece of secure infrastructure was certificate management, then spent years proving it in the open.
Roughly 29 people, with alumni of Let's Encrypt (ISRG), Sauce Labs, Kenna Security (Cisco), Pivotal and Dell EMC. Leadership includes a CTO, VP of Engineering, CRO and head of operations - small, technical, open-source-native.
$26M from StepStone Group (Series A lead), boldstart ventures (seed lead), Accel, Bain Capital Ventures and Upside Partnership. Bain's public thesis: someone should finally take the headache out of certificate management.
Google, on the ACME Device Attestation standard at the IETF; Jamf, on hardware-backed identity for Apple fleets; and Okta, for identity and device-inventory integration.
Founder conversations and product context from around the web. Search links open to the most relevant results.
Smallstep provides device identity and certificate management. It offers the open-source step-ca certificate authority and a commercial platform that binds access to Wi-Fi, VPNs, SaaS apps and SSH to verified hardware.
Mike Malone founded Smallstep in 2016. He was previously CTO at Betable and leads the company as CEO.
A standard Smallstep co-developed with Google at the IETF. It uses hardware co-processors to attest a device's identity and bind credentials to hardware, preventing exfiltration, phishing and impersonation. It's positioned as an upgrade to the older SCEP protocol.
$26M total: a $7M seed round and a $19M Series A led by StepStone Group in April 2022.
Yes. Its core tools - step-ca and the step CLI - are open source and widely used, while the commercial Device Identity Platform adds a hosted CA, attestation, policy enforcement and support.
Smallstep is wagering that the future of enterprise access has fewer passwords and more proof - that trust should be bound to hardware you can verify, not secrets anyone can steal. It spent six years building the boring, load-bearing part in the open. Now it's selling the confidence that comes with it.