As George Washington and Bill Belichick have often said: The best defense is a good offense. One of the best examples of this adage in action is Truffle Security, which helps companies identify and address credentials and passwords before hackers are able to find and exploit them.
As more companies migrate to cloud and SaaS-based operations, the number of opportunities for cybercriminals to discover credentials to those providers grows. We’ve all seen the headlines of breaches year after year. An especially surprising company made news last year when well-known online password management platform LastPass announced that a hacker had gained access to encryption keys for 30 million customer vault backups.
Staving off these threats continues to be a tremendous undertaking. Thankfully, Truffle Security co-founder and CEO Dylan Ayrey is tackling it head-on with open source technology.
From TruffleHog to Truffle Security
Truffle Security got its start in 2016, when a then-unemployed Ayrey built a Python tool to assist him in earning bug bounties — compensation for reporting a company’s cybersecurity vulnerabilities — from his Rochester Institute of Technology classmate Dustin Decker’s living-room sofa.
This tool, which he named TruffleHog, works by scanning data for passwords, keys, and tokens. These credentials typically are used to connect companies to cloud providers and other networks, but it’s not uncommon for them to accidentally end up hidden on Github or other public-facing locations. Detecting these credentials early allows companies to take proactive measures to protect sensitive data.
In the spirit of open-source development, Ayrey made TruffleHog freely available to others back in 2016.
Some users, like Ayrey, used it to go bug hunting for ethical purposes. Others, however, used it for less legitimate means. And in a way, this is part of the reason TruffleHog blew up.
When a security researcher used TruffleHog to find some DJI – a Chinese drone maker – keys buried deep within a script posted to GitHub, he used them to unlock his drone so that he could fly it over restricted areas. (DJI programs soft limits into the drone’s software, which prevents users from flying them over geo-fenced areas like airports, military sites, and national parks.)
“[The security researcher] unlocked his drone and then he made a little toolkit so that anybody can unlock their own DJI drones,” Ayrey said. “And then he posted that to Twitter.”
When the Chinese government caught wind of the fact that drones were flying freely due to some keys that had made their way to GitHub, it brought charges against the developer responsible for sharing the code— not the security researcher who posted the toolkit — resulting in a $29,000 fine and a six-month prison sentence.
The story made international headlines, and it was just one of many news items that drew attention to TruffleHog’s efficacy. Still, Ayrey considered the tool to be little more than a side project.
“I never planned on turning it into a company. It was just an open-source thing that I presented at conferences and maintained on the weekend,” Ayrey said.
But it soon became clear that companies were adopting more and more technologies that needed to be interconnected in some way (via API keys and tokens), leading to more leaks, leading to more breaches. And this open source tool that Ayrey was barely maintaining on nights and weekends continued to gain steam, with demand growing to address enterprise needs.
So in 2021, Ayrey quit his full-time job with Netflix to form Truffle Security, bringing on Decker and Julian Dunning — with whom he’d worked previously as a cybersecurity consultant — as co-founders.
From open-source side project to venture-backed startup
Initially, Ayrey and his co-founders aimed to limit their fundraising to friends and family. But investors were reaching out to offer cash as well as advice.
“A lot of the open-source traction had gotten people’s attention, and we had a lot of really reputable angel investors we had been talking to, like the founder of Material Security Ryan Noon and the founder of Signal Sciences Zane Lackey,” Ayrey said. “They helped put us on a path and said, ‘Here’s what you need to make a business out of this. It’s clear you’ve gotten a ton of community traction and the opportunity is there.’ And so that’s kind of how it all came together.”
This led to a pre-seed round with participation from Expa, Lytical, Harpoon, HNVR, Essence, Abstract, and other angel investors, which would be followed up a few months later with a $14M Series A led by a16z.
Truffle Security’s open-source philosophy
When asked about the distinctions between the free open source tool and the paid enterprise offering, Ayrey explained, “Our general philosophy is that if you're a researcher or a small shop, you should be able to use the open-source tool. It's crucial to us to support the little guy and give back to the community, so to speak. We’ll always be open source first, which is why our detection engine and all the secrets that we look for have always been entirely open source and there's no difference there between the paid and free offerings. We would have everything be open source if we could, but the larger enterprise users fund the open source investment, so some non-open source enterprise features are included."
As Ayrey looks to the future, he acknowledges that their near term focus will be on secrets detection and remediation, as Truffle Security currently covers a small percentage of where secrets leak today. Other places they’ll eventually build support for include Google Drive, Microsoft SharePoint, and email. In addition, the company is committed to improving their open source detection engine to look for new types of secrets and verification technology to ensure that the secrets are still active.
Learn more about Truffle Security here.