Smallstep

Have you ever wonder what’s the difference between ACME and ACME Device Attestation (ACME-DA)? Traditional ACME was built to solve a very specific problem: how to automatically issue certificates for servers by proving control of a domain. It works by asking a simple question: 👉 “Do you control this domain?” If you can answer that through DNS or HTTP challenges, you get a certificate. It’s fast, automated, and works incredibly well for web infrastructure. But devices don’t have domains. And more importantly, domains don’t prove what is actually making the request. That’s where warning signs to shoot up and things start to break down. ⚠️ ACME Device Attestation (ACME-DA) extends the ACME model by shifting the question entirely. Instead of validating domain ownership, it asks: 👉 “Can this device prove what it is?” With ACME-DA, keys are generated inside secure hardware like a TPM or Secure Enclave. That hardware produces a signed attestation, or a cryptographic proof of where the key came from. The certificate authority then verifies that proof all the way back to a known manufacturer root before issuing a certificate. The result is fundamentally different. Instead of issuing a certificate to something that passed a challenge, you’re issuing a certificate to a specific, verified physical device. 💻📱✅ That shift from validating control to verifying identity is what makes device identity possible at scale. And if you’re building Zero Trust, it’s a pretty important distinction! Learn more about ACME DA here! 👉 https://hubs.ly/Q04cnHTf0 #Smallstep #DeviceIdentity #ZeroTrust #ACME #CyberSecurity

👋 If you found us from a conference, an ad, or just ended up here… welcome! We’re glad you’re here! 🙌 We are Smallstep! ✨ We believe when security is easy, everyone wins. And we’re building toward a future where trusted people, tools, and resources can seamlessly and securely connect anytime, anywhere so good can thrive! But getting there means solving a problem most security tools still don’t answer very well: “Can you actually prove what device this request is coming from?” Because in most environments today, the flow looks like this: Verify the user ✅ Check a few signals ✅ Assume the device 🤷♂️ That last part is where things tend to fall apart. We built Smallstep to fix that.🔨 We’re the world's first device identity platform that uses hardware-backed identity and short-lived certificates to make sure access comes from real, trusted devices and not just something that looks/ acts compliant. What does that actually mean in practice? 🔐 Wi-Fi devices authenticate with certificates, not shared passwords 💻 SSH use short-lived, device-bound access instead of long-lived keys 🌐 ZTNA / SaaS / internal apps access decisions based on verified devices, not network assumptions ⚙️ Automation & workloads secure access without hardcoded secrets So instead of trusting signals… you’re requiring ACTUAL proof. That means: 🔐 No reusable credentials floating around 🧩 No guessing if a device is actually yours ⚙️ No extra steps for users, just automatic, cryptographic identity While we may seem like a small team (just coming up on 10 years), we are made up of some of the most passionate, talented, and thoughtful people we know in security. And while we’re small, the impact isn’t as we are trusted by 78 of the Fortune 100! 🏆 If you’ve ever looked at your security stack and thought, “this feels solid… but still kind of fragile?” You’re in the right place! 🤝

We all heard about the cyber attack on Stryker, but did you know it could’ve been preventable? ✅ This wasn’t ransomware. No sophisticated exploit. No malware. Tens of thousands of devices across 79 countries were wiped… using Stryker’s own trusted tools... and all it took was a single compromised admin credential. 🫠 The system worked exactly as designed—because it had no way to answer one critical question: Where is this request actually coming from? Most security models are built to verify who someone is. But attackers don’t break that, they reuse it. Even with MFA and device posture checks, a valid session can still be: • Replayed • Proxied • Made to look legitimate What’s missing is proof of the device itself. If you can’t verify the machine behind a login, any credential you trust can be used by someone you don’t. That’s the gap and it’s bigger than most teams realize. Read the full breakdown in the comments! #CyberSecurity #DeviceIdentity #ZeroTrust #Security #Smallstep

Ever feel like something’s a little off with your Zero Trust strategy? 🤔 You verify the user… but are you quietly assuming the device? Next week, we’re breaking down how Google, Meta, and Snap actually secure devices at scale and why true Zero Trust starts with device identity. In this session, we’ll walk through how they: 🔐 Prove device trust with hardware-backed identity 🧩 Build real, trusted device inventories (not spreadsheets) ⚙️ Replace shared secrets with short-lived, certificate-based access 🚀 Enforce access across SSH, SaaS, Wi-Fi, and internal systems—without adding friction 📅 April 7 | 9 AM PT / 12 PM ET If you’re building Zero Trust and something still feels incomplete… this might help you figure out the missing piece! 🧩 👉 Register now! https://hubs.ly/Q049R7X70

Anyone else? 😅 Asking for a friend....

🚨 Announcing: SmallSCEP™ — Device Enrollment, Reimagined (Again) 🚨 After years of hearing from customers that modern device identity is “too secure,” “too automated,” and “too predictable”… we decided to go back to what everyone really wants: SmallSCEP™ — a return to simpler times. With SmallSCEP™, you can finally enjoy: • Shared secrets at scale Stored in configs, copied into scripts, and occasionally emailed for convenience • Trust-on-first-use enrollment Because if the device asked nicely, it’s probably fine • Long-lived certificates Set it once, forget it forever (or until something breaks… quietly) • A debugging experience like no other Is it the CA? The MDM? The payload? The phase of the moon? Yes. • Interoperability through vibes✨ Works differently everywhere, but that’s part of the charm We know modern approaches like ACME Device Attestation, short-lived credentials, and hardware-backed identity are powerful…but sometimes you just want to deploy something on a Friday and hope for the best. 🤞🏼 HAPPY APRIL FOOLS DAY! 🎉

Have you ever wondered how companies like Google, Meta, and Snap actually secure devices at scale? 🤔 Not with more MFA. Not with posture checks alone. They treat device identity as a foundational control, something that’s continuously verified, not assumed. In this live webinar session with Founder and CEO Michael Malone and Sr. Staff Engineer Carl Tashian, we’ll break down how the “titans of tech” approach device trust differently, and what that looks like in practice across real environments. You’ll learn how they: 🔐 Use hardware-backed identity to prove devices are what they claim to be 🧩 Build and maintain trusted device inventories at scale ⚙️ Move to dynamic, certificate-based enrollment instead of shared secrets 🚀 Enforce access across Wi-Fi, SSH, SaaS, and internal systems without adding friction Join us on Tuesday, April 7 at 9am PT / 12pm ET to learn how leading tech companies actually secure devices at scale! Be sure to come with your questions for Mike to answer live! See you then! 👋 👉 Register here: https://hubs.ly/Q048TGCx0

As AI agents move from answering questions to taking real actions—running shell commands, calling APIs, deploying code—the security model we’ve relied on for decades starts to break down. This Forbes published article by Tony Bradley dives into that shift, using the Air Canada chatbot case as a starting point and unpacking what happens when agents operate with high privilege, high connectivity, and limited constraints. The core issue: Most security models were built around trusted humans. AI agents don’t have judgment, incentives, or self-preservation. That creates a new class of risk. The article highlights our integration with Keycard and how solving this requires addressing two sides of the same problem: 🔐 Keycard → runtime governance Enforcing policy on what an agent can do—tool calls, credentials, and actions in real time 🧩 Smallstep → hardware-backed device identity Verifying where the agent is running before it ever receives credentials As our CEO and founder Michael Malone explains in the piece, most current approaches (OAuth, API keys) are still essentially shared secrets—a model that’s been around for 30 years and is easy to impersonate. With hardware-bound identity and attestation, that changes: 👉 No attestation → no certificate → no access The integration brings these together into a single chain of trust—linking every action back to: a verified environment, an agent, a user, and a task If you take anything away from this article, take away:this isn’t just a policy problem. It’s an infrastructure problem. If you can’t verify the environment an agent is running in, you can’t reliably govern what it does. Worth a read if you’re thinking about AI, security, and what needs to change next. 👇🏼 Check it out in the comments below! 👇🏼 #AI #CyberSecurity #DeviceIdentity #ZeroTrust #Smallstep #Forbes

We took over Bluestone Lane this morning with Fleet Device Management and Dr. Zero Trust, and it turned into exactly what we hoped for - great conversations, a full house, and a much better start to the RSAC day than the hotel buffet! From early coffee and grab-and-go breakfast to signed copies of RipTide and a full ride over to Moscone, it was a steady flow of security folks talking through device identity, AI, and what real Zero Trust looks like in practice. Huge thanks to everyone who stopped by and to Fleet and Dr. Zero Trust for making it such a great way to kick off the day! #RSAC #RSAC2026 #Smallstep #Fleet #DeviceIdentity #CyberSecurity

RSAC Day 2! Come visit us at booth #2045 in the South Hall at RSAC Conference 2026!