Meet Cerbos, Winner of Startups of The Year 2024 in Access Control

The special Startups of The Year 2024 Winners Interview series is a celebration of all this year’s Tech Champions. You’ve earned it! The HackerNoon community can’t wait to learn more about your journey!

Tell us about you.

Cerbos is an authorization management solution for authoring, testing, and deploying access control policies. Implement scalable and secure fine-grained authorization.

Cerbos externalizes authorization from core application code, enabling teams to implement secure, adaptable access controls faster and with greater confidence.

Cerbos makes authorization a scalable service rather than a bottleneck.

Tell us how your startup is changing the world.

Authorization has been a hidden complexity inside application code for too long, slowing development and increasing risk. Cerbos changes that by externalizing and standardizing access control.

By offering a low-code, stateless, and language-agnostic solution, Cerbos transforms authorization from an opaque, hardcoded process into a flexible, auditable, and collaborative part of modern software architecture. We enable companies to adapt quickly to security, regulatory, and product changes—without reengineering their applications from scratch.

What sets you apart from the competition?

Cerbos was built from the ground up to support flexibility, scalability, and security at scale.

Stateless PDPs: Deliver low-latency, in-environment decisions without managing application state.

Policy-as-Code: Enable versioning, testing, and collaboration like any other critical part of the stack.

Zero Cloud Lock-In: Deploy Cerbos anywhere—on-prem, cloud, hybrid.

Fine-Grained: Combine role, attribute, and contextual information seamlessly.

Built-in audit logging: Meet compliance needs like ISO27001 and SOC2 without extra effort.

Developer-first tooling: SDKs, starter projects, and the Cerbos Playground for collaborative policy development.

Identity-Agnostic Authorization: Cerbos can authorize access for humans, non-human identities (NHIs), AI agents, services, and more—all using the same set of tested, audited, and versioned policy for consistent authorization.

In short, Cerbos turns months of engineering complexity into days of implementation, and that’s just the beginning.

What does it mean for you to win this title?

Winning HackerNoon’s Startup of the Year for Access Control validates both the problem we set out to solve and the way we approached it.

It’s confirmation from the tech community that secure and scalable authorization isn’t just a “nice-to-have”—it’s becoming a critical layer of modern infrastructure.

This recognition drives us to continue pushing the standard for what good authorization looks like.

What do you love about your team, and why are you the ones to set out for this mission?

At Cerbos, we’re a globally distributed team united by a shared mission: to make authorization simple and accessible for developers everywhere. Our diverse backgrounds span large-scale distributed systems, developer tooling, and cloud-native architectures, all of which require fine-grained access controls, equipping us with the expertise to tackle the complexities of access control.

Our culture is built on core values:

• Clarity and Pragmatism: We prioritize straightforward solutions that address real-world developer challenges, avoiding unnecessary complexity.
• Security and Reliability: Every line of code is written with a focus on robust security practices and dependable performance.
• Open Collaboration: We believe in working transparently and cohesively, fostering an environment where ideas are shared, and feedback is valued.
• Continuous Learning: Our team embraces change and is always eager to learn, adapt, and improve based on new information and technologies.

By embodying these principles, we’ve created a team that’s not only capable of addressing the intricate challenges of modern authorization but also passionate about delivering solutions that empower teams to build secure applications with ease.

Looking back, what milestone was the biggest turning point for your startup?

Launching Cerbos Hub was a pivotal moment – after releasing our open source policy decision point to the world, we got a tonne of insights and feedback from real-world production use cases of where Cerbos could be used, and what workflows were missing in order to operate in both small companies and global enterprise businesses.

Cerbos Hub took these pains and delivered a holistic solution for authorization – It proved that policy management, testing, and observability—at scale—could be done in a way that both developers and security teams could love.

It also marked Cerbos’ move from a tool used by early adopters to a complete platform adopted by large-scale production environments.

What’s one valuable lesson you learned this year that you’d pass on to other startups?

One of the most valuable lessons we at Cerbos want to share with other startups, is the critical importance of deeply understanding your market and validating your product concept before scaling. This insight was a cornerstone of our journey and is something we’d strongly pass on to other startups.​

Cerbos was born from firsthand experience. Our co-founders had dealt with authorization challenges countless times across various companies, from startups to tech giants like Google. They recognized that authorization was often a recurring problem that diverted valuable time and resources away from a company’s core mission. This realization led to the creation of Cerbos: a solution designed to prevent teams from repeatedly reinventing the authorization wheel.​

Before writing a single line of code, we engaged extensively with potential customers to understand their pain points around authorization. This proactive approach ensured we were addressing a real, unmet need in the Identity and Access Management (IAM) space, which is poised for significant growth.​

For startups, our key takeaway is this: invest time in understanding your users’ needs and validate your product concept thoroughly. This foundation will guide your development, help you avoid costly missteps, and position you for sustainable growth.

How do you envision your industry evolving in the coming years, and how will your startup stay ahead?

Applications are growing more complex. Identities are no longer just humans—they now include AI agents, non-human identities (NHIs), services, bots, and IoT devices.

In this environment, permissions must adapt in real-time, across distributed systems, without introducing security gaps or compliance risks.

Cerbos is already pushing into these frontiers.

• Guardrails for AI and RAG-based systems: As AI agents increasingly access sensitive enterprise data, Cerbos enables fine-grained filtering of knowledge sources at query time, ensuring AI responses are built only from data the user is authorized to see.
• Secure authorization for Non-Human Identities (NHIs): Cerbos helps protect against OWASP-identified threats to machine identities, by enforcing context-aware, dynamic authorization policies that adapt to automated workflows and system-to-system interactions.
• Policy versioning and testing automation: Building resilient access control requires robust tooling to validate policies before deployment. Cerbos offers a test-driven approach to authorization that ensures changes don’t introduce regressions.
• Visibility and auditing at global scale: With Cerbos’ real-time audit logs and policy observability features, organizations can meet regulatory standards like SOC2 and ISO27001 while securing systems against insider and external threats.

We’ll stay ahead by continuously focusing on:

• Developer experience: Providing powerful yet intuitive tooling.
• Security rigor: Anticipating new attack surfaces as architectures evolve.
• Architecture flexibility: Supporting decentralized, hybrid, and AI-augmented environments without forcing lock-in or complex rewrites.

How do you or your company intend to embrace the responsibility of this title in 2025?

We’ll continue investing in:

• Expanding integrations across ecosystems and frameworks
• Deepening developer tooling for policy testing, validation, and audit
• Leading standards efforts around authorization patterns in cloud-native and AI-enabled systems as a member of the OpenID Foundation AuthZEN working group
• Growing our open-source community, because secure systems are built better together

Winning is motivation—but responsibility is fuel for continuous improvement.

What goals are you looking forward to accomplishing in 2025?

• Enhanced AI security

  • Access controls around prompts

  • Access controls around RAG vector stores

  • Access controls around MCP Servers

• Enhanced NHI security
  • Educate authorization practitioners on how best to authorize non-human identities
  • Contribute to the evolving identity fabric design with targeted solutions for access control use cases
  • Continue to leverage identity standards such as SPIFFE for authorizing workloads