We're announcing our $4.8M seed round to build the authorization layer that agentic AI has been missing since the first multi-agent system shipped a raw OAuth token in a plain-text config file.
Why this round, why now
Fortify Fund led the round with participation from angels who built security tooling at HashiCorp, Cloudflare, and Okta. The round closed March 14, 2025. We are announcing it publicly now because we have enough product to show, not because we needed press.
The problem we are solving has existed since the first LangChain agent got handed a GitHub OAuth token with full repo write access. That was two years ago. In the interim, nobody built the infrastructure to manage what happens to those tokens after the agent runs. Alter is that infrastructure.
During the six months of pre-launch customer research that led to this round, we audited the OAuth token inventory of seven production agentic systems. Five of them had active tokens belonging to agents that had been decommissioned. The median zombie token age was 94 days. The median scope was broader than the agent ever needed. That is not a theoretical risk — that is the current state of production AI agent deployments.
What Fortify Fund saw
Fortify Fund invests at the infrastructure layer before the category has a name. When we first talked to them in November 2024, there was no established term for what we were building. "OAuth for AI agents" was not yet a search query. The market existed — hundreds of teams were shipping agents against OAuth-protected APIs — but nobody had named the security gap yet.
What convinced them was a single artifact: a Datadog log export from a beta customer showing 1,200 active OAuth tokens from agents that had been shut down three months earlier. Every token was still valid. All of them carried repo write access to a GitHub organization. The customer had no process for revoking them because they had no inventory of what existed.
Fortify's thesis is that the teams who get ahead of security gaps at the protocol level — before they become incident reports — build durable infrastructure companies. That matched what we were building.
The four things we are funding
Policy engine depth. The current YAML-based scope policy works for teams comfortable writing rules manually. We are building a behavioral inference layer that watches what each agent actually does and proposes minimum-privilege policies automatically. An agent that has accessed only read endpoints for 30 days should not be carrying write scopes. We are automating the detection and the downgrade proposal.
Integration coverage. We ship today with first-class support for GitHub, Slack, Google Workspace, Salesforce, Notion, and Linear. The next batch — Jira, Confluence, HubSpot, Zendesk, Stripe, Twilio — is in the integration queue. Each one requires real testing against the provider's OAuth implementation. Spec compliance and actual behavior diverge enough that you cannot short-circuit the work.
SIEM connectors. Alter exports audit events to Splunk, Datadog, and any webhook endpoint today. We are building native connectors for Elastic SIEM, Microsoft Sentinel, and IBM QRadar so Alter's token event stream shows up alongside the rest of your security telemetry. Token mint, token use, token revocation — same dashboard as firewall events and failed logins.
Team. Three engineering hires: policy engine, integrations, audit pipeline. One security research hire whose job is finding bypasses before attackers do. If you work in applied security research, the contact page is the fastest path to a conversation.
What does not change
Pricing stays the same. The API surface stays the same. Alter still requires no SDK — you point your agent at the proxy endpoint, set your policies in YAML, and you are done. No agent code changes required. No infrastructure migration.
Beta customers keep their accounts and the pricing they were quoted. We made commitments and we are keeping them.
On the competitive landscape forming around this problem
We expect more entrants to the OAuth-for-agents space in 2025. That is good. It means the category is real. Our view is that the proxy architecture — sitting between the agent and the OAuth provider — is the defensible position because it is the only place where you can enforce policy without modifying agents and without modifying OAuth providers. You own the chokepoint.
Teams building audit logging on top of existing OAuth flows, or trying to solve this with agent framework plugins, will find that the protocol layer is the place the problem actually lives. We expect to see that validated over the next 18 months.
How to get access
We are adding new customers on a rolling basis. If you have agents making OAuth requests against any of our supported providers, setup takes under 20 minutes. We can run in proxy mode alongside your existing credential setup during evaluation — no lock-in, no agent code changes required to pull Alter out if it is not the right fit.
The demo request form is on the contact page. Srikar reads every inbound personally during this phase. That will change as the team scales, but right now it is the fastest path to an honest conversation about whether Alter fits your situation.
The long game
Every month that production agent systems run without credential lifecycle management is another month of accrued exposure. Tokens pile up. Scopes expand to the path of least resistance. The blast radius of a future breach grows larger. The teams that address this now will be the ones writing calm post-mortems three years from now instead of emergency board disclosures.
That is what the $4.8M is for. The work continues.