Ermetic logo

Shai Morag Co-founder & CEO Ermetic

Ermetic is an identity-first cloud infrastructure security platform that provides multicloud protection in an easy-to-deploy SaaS solution. Using advanced analytics to assess, prioritize and automatically remediate risks, Ermetic makes it possible to reduce your attack surface and enforce least privilege at scale even in the most complex cloud environments. With offices in Tel Aviv, Palo Alto, and Boston, Ermetic is led by industry veterans and backed by prominent cyber security investors. Around the world, organizations of all sizes are using Ermetic to mitigate access risk, secure cloud data, and ensure compliance.

Shai has more than 20 years of product management, technology leadership and senior executive experience. Before Ermetic, Shai served as the co-founder and CEO of Secdo, a cyber security company, where he led the company from its inception to a successful acquisition by Palo Alto Networks (NSDQ:PANW) for $100M in only three years. Before Secdo, Shai served as the CEO of Integrity-Project, a company specialized in connectivity, networking and security solutions. He led them to significant growth and an acquisition by Mellanox (NSDQ:MLNX). Shai also served for 10 years as an officer in the IDF Intelligence Corps Unit 8200, where he held a variety of roles in management and product development, and won several national awards for excellence. Shai is a graduate of the Talpiot program and earned an MBA from Tel Aviv University.

1. How did you first get interested in cybersecurity?

I first got interested in cybersecurity when I was in the army. I served in an intelligence unit that focused on cyber activity and that gave me a good base for moving into cybersecurity professionally once my service was complete.

2. How did you come up with this solution that your cybersecurity company provides?

When my co-founders and I joined forces on a startup, we wanted to tackle one of the biggest challenges in cybersecurity today. Our first step was to interview more than 50 CISOs and followed by a survey of another 300 CISOs in North America with the goal of learning about their challenges and where they struggle to do their job. We heard about a lot of challenges but there was a common pain that kept coming up in all our conversations: governing identities and access entitlements in the public cloud. We repeatedly heard that excessive access was one of their biggest risks, and one of the hardest to tackle…so we took it upon ourselves to solve this problem while building a comprehensive cloud infrastructure security platform .

3. How did you come up with the name of your cybersecurity company?

We really connected with the word and meaning of “Hermetic.” The concept of an air-tight seal really illustrated what our solution achieves. But…such is the story with so many startups these days, the domain was taken so we had to get creative.

4. Is there anything currently in the market which addresses the solution you provide?

Not as comprehensively, no. Identity-centric cloud security is unique and fairly new to the market. Gartner recently predicted that by 2023, 75% percent of security failures will be the result of mismanaged identities and entitlements and they created a new category of security offerings called Cloud Infrastructure Entitlement Management (CIEM). We were one of the first to market to provide a deep solution for securing human and service identities in AWS, Azure and GCP – in addition to robust Cloud Security Posture Management (CSPM) for all cloud resources.

5. How do you differentiate your company from your competition?

We offer a comprehensive CIEM and CSPM solution. Most other options out there can only provide one or the other, but we provide both. We know that identities are the largest attack surface and the hardest to address, and we didn’t back down in developing a solution that proactively reduces your attack surface, detects threats and reduces your blast radius in case of a breach. Ermetic provides accurate and actionable visualization of complex relationships so you have a clear picture of the landscape to enable the identification of the toxic scenarios that are the highest risk to your environment.

6. How did you decide who your core team will be ?

Arick Goomanovsky and I served in the military together and always talked about our dreams to build a company together. When we first started meeting investors, they were the ones who introduced us to the other two co-founders, Michael Dolinsky and Sivan Krigsman, who were also very experienced cybersecurity leaders that had worked together before. When Arick and I met with Michael and Sivan, we had instant chemistry and we all felt comfortable sharing ideas. We feel very lucky that our investors had the instincts to introduce us. We all bring our own strengths to the table and have learned so much from each other.

7. There is a lack of cybersecurity awareness,, especially during an employee’s onboarding/offboarding process. Should cybersecurity training be made compulsory?

8. Where do you think your company will be in 5 years time?

We’ve got big plans for Ermetic. We just closed our Series B round of funding at $70M and are looking forward to growing into a large public company with a full arsenal of cloud security tools.

9. What do you think are the top cybersecurity threats to
governments ?

I believe one of the top cybersecurity threats we all currently face is the threat of Ransomware. We recently conducted research that found that overall, in every environment we sampled, there were identities which, if compromised, could be used to execute ransomware. Every single environment! And not just that, but these identities were misconfigured with a risk factor and had the ability to perform ransomware on at least 90% of the buckets in an AWS account.
It’s widely accepted that AWS S3 buckets are often the default destination for data backups. But our research found that if misconfigured, those buckets can be at risk of compromise. You can read more about our findings here.

10. What do you think will be the greatest technological advancements in the coming years which will affect the cybersecurity industry?

I predict that advancements in AI will change the game for all of us. We’ll be able to see patterns more quickly and respond to them nearly instantly. With this kind of technology, we can practically eliminate false positives altogether and operationalize the gathered intelligence more quickly.

11. What is the one thing companies can do to improve their cybersecurity risk?

The first and most important step a company can take to reduce their cybersecurity risk is to hire someone to be in charge of their cybersecurity. The person can set and enforce policies and also educate and raise awareness internally from employees to executives and board members in order to build a united front where everyone understands the procedures and risks.

12. What is the one tip you could give an individual to minimize their cybersecurity risk?

Always verify who they’re interacting with online. So often, people unwittingly fall victim to phishing or other complex schemes because they don’t do enough research. If something seems too good to be true, it probably is!

13. Do you think the cybersecurity industry is going through a wave, bubble or natural growth?

I think we’re in the middle of a wave. There was already movement to the cloud, but everything was accelerated because of the COVID-19 pandemic. Companies who may have had a 5 or 10 year cloud infrastructure plan saw themselves faced with a need for immediate change. The move to the cloud has been swift and sweeping.

14. Other than work, how do you spend your time outside the cybersecurity realm?

Bridge, poker

Shai Morag is focused on innovative, value-driven offerings that accelerate the customers’ ability to achieve their goals as they securely join the digital transformation.

Ermetic logo

For more information, visit

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.