The Story of Smallstep: Building the Future of Security Infrastructure
Sometimes the most compelling startup stories begin not with a revolutionary new technology, but with the recognition that existing technologies need to work differently. In a recent episode of Category Visionaries, Mike Malone shared how Smallstep emerged from the growing tension between modern software development practices and traditional security infrastructure.
The Genesis
Mike’s path to founding Smallstep wasn’t a sudden epiphany but a culmination of years of hands-on experience. As he explains, the company “formed out of my experiences as an engineering leader and as someone who’s building complex distributed systems.” Having spent his career “bouncing between startups across a bunch of different verticals” including “consumer web, various SaaS and platform plays,” Mike had a front-row seat to the evolving challenges of securing modern software systems.
The core problem became increasingly clear: traditional security approaches weren’t keeping pace with modern development practices. The challenge was “securing distributed systems in the context of modern software development… with Kanban and sort of that pace and scale of development, microservices like layering on security and having real strong security guarantees and compliance guarantees without breaking all of that sort of modern technology.”
Building the Foundation
Rather than creating entirely new security protocols, Smallstep focused on making existing, proven technology work better in modern contexts. As Mike explains, “certificate asymmetric cryptography, all this security stuff seems like it’s an area that a lot of smart software engineers shy away from and maybe don’t specialize in. It feels very baroque and obscure, and a lot of the tooling hasn’t helped with that.”
The company built its foundation on open source, creating a core technology stack focused on certificate management tools. This wasn’t just about managing a few certificates – it was about handling security at an entirely different scale. As Mike points out, “people don’t have just like a dozen internal certificates anymore. They have their kubernetes and their service meshes and their databases and all their VMs and microservices and Kafka and Elkstack.”
Growing the Business
Smallstep’s growth strategy combined open source commitment with commercial innovation. The company built a range of offerings “from a free tier all the way up to a million dollars a year” with “over 100 customers taking advantage of various scale offerings.” Their approach to content marketing was equally innovative, giving their team “really broad mandate to just write about what they’re passionate about that’s in this space.”
The results speak for themselves: “millions of open source downloads” and “dozens of Fortune 500 are on our website reading docs for open source.” More importantly, they’re now “selling six and beginning to sell seven figure deals.”
The Road Ahead
Looking to the future, Smallstep’s vision extends far beyond just managing certificates. Mike sees the company evolving towards making “enterprises and large software systems and the Internet as a whole is more secure and safer for everybody.” This vision of democratizing security infrastructure while maintaining its robustness could reshape how enterprises approach security in an increasingly distributed world.
The future presents both challenges and opportunities. As software systems become more complex and distributed, the need for sophisticated yet accessible security infrastructure only grows. Smallstep’s journey from addressing a specific pain point in certificate management to building a comprehensive platform for managing trust in modern systems illustrates how technical founders can transform complex, traditional technologies into solutions that work for today’s development practices.