When it comes to the world of cybersecurity, identity is often thought of as a “perimeter” around an organization. So many breaches begin through techniques like password theft, phishing, and credential stuffing; ergo, securing the identities of not only users, but also applications and machines, is the key to securing the whole system.

Easier said than done — as the recent security breach at the U.S. Treasury demonstrated. Now, Clutch Security — one of the startups building tools to focus on the space on non-human (machine) identity — is announcing $20 million in funding, underscoring the demand in the market to address the issue.

SignalFire is leading this round with participation also from Lightspeed Venture Partners and Merlin Ventures, existing backers that invested in its previous $8.5 million seed round. Clutch said it would be using the funding for R&D, product development and to expand its business development.

Clutch today has integrations with close to 60 infrastructure services, applications and identity provides most popular with enterprises. It secures a variety of data that these use to interface with each other, including API keys, service accounts, “secrets”, tokens and other credentials. Clutch’s platform provides services like network visibility, posture and risk management, lifecycle management, via a zero-trust approach. There is scope to cover much more: the average number of machine identities in a typical large enterprise has ballooned in the last couple of years, from 320,000 in 2022 to 1 million in 2024, according to research from Venafi (a competitor of Clutch’s).

Clutch’s focus on perimeter breaches, by coincidence, came into existence at the moment when another perimeter was breached. The Tel Aviv startup was founded in October 2023, more or less on the heels of Israel getting attacked by Hamas and in turn going to war against it in Gaza.

CEO Ofir Har-Chen — who co-founded Clutch with Sagi Haas and Tal Kimhi (pictured above; Har-Chen is far left) — said that building a company at that moment was a blessing and a curse. On one hand, people were very distracted and distressed by the events that were unfolding, and many were simply unavailable to work, as they were stepping into positions supporting the situation at hand, many joining up with the military. On the other hand, for those who were working, it definitely focused their minds.

He said the company struggled to hire anyone at first, taking on its first employees finally in  February. But then, it built its first minimum-viable product within just three months. “I would say that we probably have probably one of the best engineering teams in Israel, because all of them are veterans of in the space,” he said. Har-Chen is among those veterans: he’s spent 20 years working across a range of cybersecurity technical and executive roles, both within the Israeli government and in private firms. (Haas and Kimhi meanwhile are alums of Axonius, another cyber firm.)

The problem that Clutch decided to pursue, meanwhile, is “one as old as time,” Har-Chen continued. Service accounts in Windows Active Directory have been examples of where machine identities can be exploited by malicious hackers, and these have been in operation since 1994, he said. “There is nothing new here.” But the advent of cloud computing and the explosion of software as a service as the primary way that applications are used, he added, “has exacerbated the problem.”

Add to this the entry of AI, and specifically AI agents, which have become the newest target for malicious hackers.

“I think we’re seeing the pendulum swing from the human being as the weakest link, to the non-human, or the machine,” he said. “AI agents are now being rapidly adopted in the enterprise, replacing manual tasks done by humans.” He said he believes there will be a bigger influx now of attacks aiming to compromise these agents, “just a proliferation of attacks.”

Clutch is far from the first company to identify the problems here. The crowded market includes the likes of Semperis, which last year raised at a $1 billion valuation to focus just on that legacy issue of Active Directory; Astrix Security, which raised $45 million this past December; Oasis, a buzzy Israeli startup that raised $40 million a year ago; CyberArk, which acquired machine-to-machine security firm Venafi for over $1.5 billion last year;   Silverfort, which is taking a holistic approach to identity; and Token Security, which also raised $20 million days ago.

The speed with which Clutch is building is one reason why investors are especially interested in this startup over (or alongside) all of these others. “What Clutch has achieved in such a short time is remarkable – they’re not just building a groundbreaking platform, they’re reshaping the entire industry,” said Guru Chahal, Partner at Lightspeed Venture Partners, in a statement. “Their work is already pushing cybersecurity forward in meaningful ways, and as enterprises start embracing agentic AI, I believe Clutch will be transformative.”