Push Security raises $15 million and launches a host of new features

Push Security has raised $15M in Series A funding. GV (Google Ventures) led the funding with participation from Decibel and notable angels, including Dug Song, former CEO at Duo Security, and Tray.io CEO Rich Waldron. GV General Partner Karim Faris and Jon Oberheide, co-founder and former CTO of Duo Security, have joined the board.

Hundreds of teams and more than 50,000 users rely on Push Security to uncover any employee-owned SaaS deployed within the business and remediate critical security vulnerabilities exposed by SaaS use.

To ensure Push was scalable, able to support the smallest to the largest organizations, and that the product could provide a fully self-service purchasing and onboarding process, the company was focused on strong UX and building the right features after launching in July 2022. Now that the company can focus on commercial success, Push has seen a 14X increase in revenue in the first quarter of 2023.

According to Push’s data, unchecked SaaS usage has increased significantly in the past year, leading to growing costs and security risks for enterprises:

• Since its launch last year in July 2022, Push has added nearly 500 SaaS apps.
• 41 percent of Microsoft 365 and 55 percent of Google Workspace app integrations were only used by a single employee.
• 23 percent of Microsoft integrations and 17 percent of Google integrations granted access to high risk assets and data such as email, calendar, and shared drives.
• Only one-third of Microsoft app integrations were approved by IT via OAuth. The other two thirds were provisioned directly by employees with no IT oversight or visibility.

“As security professionals, we’re facing a significant increase in SaaS risk and as a result, rethinking how we approach company security,” said Adam Bateman, Push Security’s CEO.

“An explosion in SaaS adoption, coupled with a big push to self-service platforms driven by product-led growth (PLG), means employees increasingly sign up and buy SaaS directly without going through the security team first. This creates an unwieldy sprawl of SaaS applications being introduced to the business with no corporate oversight. Security teams have to play catch-up to ensure these apps aren’t exposing their businesses to undue security risks or invalidating their security compliance,” Bateman continued.

Push Security has launched a host of new features to help security teams take control of their SaaS portfolio:

• Browser-based SaaS account discovery tool. Because it is the only platform to operate in the browser, Push enables a deeper, more complete assessment of user accounts employees have created that could be vulnerable to password guessing, credential stuffing, have been exposed as part of a prior breach, or are missing important security controls such as MFA.
• Just-in-time notifications empowering user-led compliance. Alerts are directed to security teams and employees through Slack and Microsoft Teams instant notifications to prevent employees from creating security issues, such as prevention of password re-use or weak passwords. With one click, employees can take action to secure their accounts.
• Managed browser extension deployment. Push can be installed via managed Chrome, Group Policy (Microsoft Active Directory), or Mobile Device Management (MDM) to every employee browser to ensure complete coverage.
• Detection of risky third-party integrations. A new dashboard allows security teams to see all SaaS integrations connected to core platforms (Google Workspace and Microsoft 365), with warnings if those integrations are doing anything suspicious or malicious, or asking for excessive or risky permissions.
• ChatOps messaging for security teams. Now Push administrators can receive notifications in Microsoft Teams or Slack channels to get alerted immediately when a new third-party integration is detected or a user contacted via ChatOps confirms that a mail rule looks suspicious.

“The threat landscape has shifted dramatically, as organizational IT resources have evolved from centrally-managed and hosted applications to team- or employee-managed cloud hosted SaaS with deep interdependencies (via integrations),” shares Sebastien Jeanquier, CSO at fintech company Upvest.

“Push allows us to gain deep insights into the usage of SaaS across our organization, including integrations that could pose a risk to company data, but also automate the remediation of these at scale by involving the internal users of SaaS application directly in the assessment and decision making,” Jeanquier continued.

“The global workforce is moving toward greater freedom and flexibility with SaaS applications, which introduces new security complexities and challenges,” says Karim Faris, General Partner at GV.

“That trend presents a critical need for better, simpler tools that engage employees and take the burden off centralized IT to manage SaaS sprawl. GV is excited to partner with the Push team as they help modern security teams navigate the evolving cybersecurity threat landscape,” Faris concluded.