Nudge Security emerges from stealth to tackle cybersecurity’s people problem

Social engineering attacks are on the rise. These low-tech but high-impact attacks — where hackers manipulate employees into granting them access to companies’ services and data — increased by almost threefold last year, and have so far this year claimed several high-profile victims, from Twilio and Mailchimp to Revolut, and most recently Uber. As these big names demonstrate, these kinds of attacks can be hard for even the most well-resourced organizations to protect against.

Now, cybersecurity startup Nudge Security is emerging from stealth to help organizations tackle what they think is the biggest cybersecurity weakness: people.

The fully remote company — with outposts in Austin, Texas and Jackson, Wyoming — was founded in 2021 by ex-AlienVault software engineers Russell Spitler and Jaime Blasco, who believe the only way to address the “people problem” is to make employees part of the solution. As its name suggests, its product does that by “nudging” employees toward optimal security behaviors, such as switching on multi-factor authentication (MFA) or changing their password if it has been involved in a breach.

The company’s security offering continuously uncovers historical and new software-as-a-service assets across an organization, including SaaS supply chains and OAuth grants, without relying on network infrastructure, endpoint agents, browser extensions or API integrations. When there’s a new “security critical” event, such as the creation of a new account or the installation of a new app, Nudge engages with that employee to ensure they are making good security choices. For example, if an employee downloads Dropbox but the organization uses Google Drive, Nudge will start a dialogue to understand why that decision has been made.

“We act as a sidecar in a way that allows employees to engage with the security team and allows the centralized team to still have visibility into what’s going on, set policies and have employees be part of that process in a way that doesn’t disrupt their work,” Nudge’s Spitler told TechCrunch. “We believe that every employee has the potential to behave in ways that support and strengthen the organization’s cybersecurity posture, it’s just not always simple or straightforward to do so.”

In order to ensure employees engage with these prompts, Nudge worked with Aaron Kay, a professor of psychology at Duke University, who showed the startup how it can take foundational research done in psychology in order to establish a relationship between our product and end users. “We’re trying to engage employees, and make sure we’re not coming across in a way that’s slapping your hands or waving a big red warning banner,” Spitler added.

Nudge is not claiming that it could have prevented Uber’s hack or Revolut’s breach — Spitler told TechCrunch, “we’ve been in the industry too long to make bold cases like that” — but that the company believes it can help organizations inform their risk posture not just in terms of who has access, but in terms of who has access to what and why.

“Like in the case of Uber, one of the things that has been a trend for collapse over the past few months is the complexity of these organizations,” Spitler said. “Social engineering plus complexity means that even if one user gets compromised, all of a sudden the organization starts to fall apart.”

“We also provide supply chain information,” added Blasco, Nudge’s co-founder and chief technology officer. “Let’s say your organization is using Slack, and they’re using Twilio, we’re able to tell you that Twilio is compromised.”

Nudge is launching its product six months after it secured a $7 million seed investment from Ballistic Ventures, a new VC outfit solely dedicated to advising and funding early-stage cybersecurity startups. Since this investment, Nudge has onboarded 10 customers, with another dozen or so in the large enterprise pilot phase.

“The product that we’ll be delivering this week is really our focus right now, and then we’ll be scaling up our marketing and sales efforts,” Spitler said. “When we start to expand on that front, we’ll probably look to raise another round.”