Criminals no longer knock at the door; they abuse the keys that companies can no longer control. Offroad seeks to provide that control.
New York- and Tel Aviv-based Offroad emerged from stealth with seed funding of $7 million, led by Ibex Investors and Skywell Capital. Offroad helps organizations move from identity visibility to identity resolution – it claims to investigate, govern, remediate, and verify identity risks.
The firm uses agentic AI to find and investigate the issues. It gathers context from fragmented systems. and then fixes them autonomously, either by reporting details to a human in the loop, or by autonomous action wherever safe.
It was co-founded in May 2025 by CEO Dan Bendler and CTO Philip Shteyn (formerly a Captain at Unit 8200, Israeli Military Intelligence).
“Enterprises now operate across a constantly changing mix of human users, machine identities, and AI agents,” explains Bendler. “The context needed to understand and resolve identity risk is spread across dozens of systems and workflows, while security teams are still expected to investigate and remediate issues manually. That model is becoming increasingly difficult to sustain.”
Shteyn adds, “Most identity systems were designed around assumptions that no longer hold. AI agents operate across systems at all hours and at a scale humans never could, which makes traditional behavioral baselines far less reliable. Security teams need systems capable of continuously investigating and reasoning through identity activity, not simply generating more findings.”
The identity problem will worsen. The number of identities, systems, workflows, and autonomous agents inside organizations will continue to grow. Illustrating the current problem, Offroad has produced and published (available from its site) a detailed audit report of 2,890 public OAuth applications on Google Workspace Marketplace and GitHub Marketplace.
The audit finds that 918 apps (32%) carry at least one structural exposure signal: from scopes wider than the app’s stated function, AI with write access, threat-intel flags, dead publisher websites, buyable or pending publisher domains, and brand-leading app names published by third parties.
In tandem with this report, Offroad has also launched ohauth.ai, described as “A community catalog of OAuth apps with over-privileged scopes, dead publisher domains, and silent permission drift.”
The company warns that some identity risks emerge in realtime, when identities misbehave. Others build quietly over time through privileges that outlive their purpose, access that’s kept after roles change, third-party apps with permissions nobody can justify, machines with too much power, and AI agents working across systems.
Offroad’s solution to this identity problem is to use its own autonomous agents to find the issue, gather the context necessary to understand the problem, and then fix it.
Related: The Credential Crisis: How Stolen Credentials Defeat Modern Security
Related: 1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials
Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI
