StepSecurity
Company Details
Linkedin ID:
step-security
Website:
Employees number:
22
Number of followers:
13,119
NAICS:
541514
Industry Type:
Homepage:
stepsecurity.io
IP Addresses:
0
Company ID:
STE_6233568
Scan Status:
In-progress
StepSecurity Company CyberSecurity Posture
stepsecurity.io
StepSecurity secures CI/CD at scale by enforcing runner-level network egress controls, providing secure, drop-in replacements for third-party actions, and ensuring only policy-compliant workflows run. Over 8,000 open-source projects, including those from Cybersecurity and Infrastructure Security Agency (CISA), Google, Microsoft, Datadog, Kubernetes, NodeJS, and Ruby, use StepSecurity to harden their CI/CD pipelines. Our enterprise tier is currently deployed at customers in the crypto, healthcare, and cybersecurity industries. The StepSecurity platform secures more than 8,000,000 CI/CD job runs every week.
StepSecurity A.I CyberSecurity Scoring
StepSecurity Risk Score (AI oriented)Between 650 and 699
StepSecurity
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
StepSecurity Global Score (TPRM)XXXX
StepSecurity
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
StepSecurity Company CyberSecurity News & History
Past Incidents
1
Attack Types
1
StepSecurity: Seven ways to manage NHIs
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: COMMENTARY: Invisible connections drive the modern enterprise. Today, beneath every automated workflow lies a complex web of API keys, OAuth tokens, and service accounts that let sensitive data move across apps and services. Many organizations are dangerously exposed. Recent high-profile breaches reveal a disturbing pattern: attackers target app-to-app access to move laterally and remain undetected. With third-party breaches surging to 30% of all incidents , recent events at GitHub and Snowflake confirm that non-human credentials are cybercriminals' new frontier. The rise of AI usage amplifies the challenge. AI tools and agents often inherit the same API access as humans, but they operate at machine speed and scale. They process vast data and trigger complex, multi-service workflows, all while flying under the radar of legacy security monitoring. Consider an AI productivity tool connected to Google Workspace, Salesforce, and Slack. The AI agent holds tokens granting it access to emails, customer data, and communications. If these tokens are compromised, the attacker gains a rapid, cross-application foothold across the entire SaaS and AI ecosystem, often without triggering the human-focused behavioral analytics designed to spot suspicious activity. The security community has invested heavily in monitoring and enforcing constraints around activities based on human identities. Now it’s time we increase visibility and control over the more prevalent and insidious non-human i
StepSecurity Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for StepSecurity
Incidents vs Computer and Network Security Industry Average (This Year)
StepSecurity has 112.77% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
StepSecurity has 56.25% more incidents than the average of all companies with at least one recorded incident.
Incident Types StepSecurity vs Computer and Network Security Industry Avg (This Year)
StepSecurity reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 0 vulnerabilities, 1 data breaches, compared to industry peers with at least 1 incident.
Incident History — StepSecurity (X = Date, Y = Severity)
StepSecurity cyber incidents detection timeline including parent company and subsidiaries
StepSecurity Company Subsidiaries
StepSecurity secures CI/CD at scale by enforcing runner-level network egress controls, providing secure, drop-in replacements for third-party actions, and ensuring only policy-compliant workflows run. Over 8,000 open-source projects, including those from Cybersecurity and Infrastructure Security Agency (CISA), Google, Microsoft, Datadog, Kubernetes, NodeJS, and Ruby, use StepSecurity to harden their CI/CD pipelines. Our enterprise tier is currently deployed at customers in the crypto, healthcare, and cybersecurity industries. The StepSecurity platform secures more than 8,000,000 CI/CD job runs every week.
Loading...
StepSecurity Similar Companies
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest s
CrowdStrike
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk — endpoints and cloud workloads, identity and data. Powered by the CrowdStrike Security Cloud and world-clas
.png)
StepSecurity CyberSecurity News
September 25, 2025 07:00 AM
CISA: Extensive supply chain compromise necessitates immediate dependency checks
Organizations' security teams have been urged by the Cybersecurity and Infrastructure Security Agency to improve software monitoring...
September 24, 2025 07:00 AM
CISA urges dependency checks following Shai-Hulud compromise
Security teams are urged to review their software environments after a major supply chain attack on the NPM ecosystem.
September 18, 2025 07:00 AM
Shai-Hulud malware campaign dubbed 'the largest and most dangerous npm supply-chain compromise in history' — 'hundreds' of JavaScript packages affected
Security researchers are tracking a malware campaign that has compromised hundreds of packages distributed via the npm ecosystem.
September 16, 2025 10:38 PM
CrowdStrike Among Those Hit In NPM Attack Campaign
More than 20 CrowdStrike NPM packages were among nearly 200 NPM packages hit by a sophisticated supply chain attack. The compromised packages were quickly...
September 16, 2025 07:00 AM
Attackers breach the NPM ecosystem by weaponizing ctrl tinycolor and infecting more than 40 packages with two million weekly downloads
NPM Supply Chain Breach - The NPM ecosystem is reeling from a supply chain attack that compromised the widely used @ctrl/tinycolor.
September 16, 2025 07:00 AM
Shai-Hulud: A Persistent Secret Leaking Campaign
On September 15, a new supply chain attack was identified that targeted the @ctrl/tinycolor and 150 other NPM packages.
September 16, 2025 07:00 AM
Shai-Hulud: A Persistent Secret Leaking Campaign
On September 15, a new supply chain attack was identified that targeted the @ctrl/tinycolor and 150 other NPM packages.
September 16, 2025 07:00 AM
Self-replicating worm hits 180+ npm packages in (largely) automated supply chain attack
A potentially monumental supply chain attack is underway, thanks to a self-replicating worm that's been compromising npm packages.
September 16, 2025 07:00 AM
Massive Supply Chain Attack Hijacks ctrl/tinycolor With 2 Million Downloads and Other 40 NPM Packages
A sophisticated and widespread supply chain attack has struck the NPM ecosystem, compromising the popular @ctrl/tinycolor package,...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
StepSecurity CyberSecurity History Information
Official Website of StepSecurity
The official website of StepSecurity is https://www.stepsecurity.io.
StepSecurity’s AI-Generated Cybersecurity Score
According to Rankiteo, StepSecurity’s AI-generated cybersecurity score is 686, reflecting their Weak security posture.
How many security badges does StepSecurity’ have ?
According to Rankiteo, StepSecurity currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does StepSecurity have SOC 2 Type 1 certification ?
According to Rankiteo, StepSecurity is not certified under SOC 2 Type 1.
Does StepSecurity have SOC 2 Type 2 certification ?
According to Rankiteo, StepSecurity does not hold a SOC 2 Type 2 certification.
Does StepSecurity comply with GDPR ?
According to Rankiteo, StepSecurity is not listed as GDPR compliant.
Does StepSecurity have PCI DSS certification ?
According to Rankiteo, StepSecurity does not currently maintain PCI DSS compliance.
Does StepSecurity comply with HIPAA ?
According to Rankiteo, StepSecurity is not compliant with HIPAA regulations.
Does StepSecurity have ISO 27001 certification ?
According to Rankiteo,StepSecurity is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of StepSecurity
StepSecurity operates primarily in the Computer and Network Security industry.
Number of Employees at StepSecurity
StepSecurity employs approximately 22 people worldwide.
Subsidiaries Owned by StepSecurity
StepSecurity presently has no subsidiaries across any sectors.
StepSecurity’s LinkedIn Followers
StepSecurity’s official LinkedIn profile has approximately 13,119 followers.
NAICS Classification of StepSecurity
StepSecurity is classified under the NAICS code 541514, which corresponds to Others.
StepSecurity’s Presence on Crunchbase
Yes, StepSecurity has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/step-security.
StepSecurity’s Presence on LinkedIn
Yes, StepSecurity maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/step-security.
Cybersecurity Incidents Involving StepSecurity
As of December 02, 2025, Rankiteo reports that StepSecurity has experienced 1 cybersecurity incidents.
Number of Peer and Competitor Companies
StepSecurity has an estimated 2,899 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at StepSecurity ?
Incident Types: The types of cybersecurity incidents that have occurred include .
Additional Questions
.png)
Latest Global CVEs (Not Company-Specific)
Description
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.
Risk Information
cvss3
Base: 7.1
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Description
fastify-reply-from is a Fastify plugin to forward the current HTTP request to another server. Prior to 12.5.0, by crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. This vulnerability is fixed in 12.5.0.
Risk Information
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.
Risk Information
cvss4
Base: 8.5
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Portkey.ai Gateway is a blazing fast AI Gateway with integrated guardrails. Prior to 1.14.0, the gateway determined the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route then appends the client-specified path to perform an external fetch. This can be maliciously used by users for SSRF attacks. This vulnerability is fixed in 1.14.0.
Risk Information
cvss4
Base: 6.9
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=step-security' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
