Inside Anjuna’s confidential computing approach to data protection

Many enterprises have followed the same data protection playbook for years. Encrypt data when it’s stored, and encrypt it when it’s moving between systems. But any time data is actually being used, those protections can break down.

That’s because data in use has to be loaded into the computer’s memory so the system can work on it, at which point it’s typically decrypted and in a readable format, making it accessible to anyone who can access the machine.

The problem is that modern security — firewalls, identity layers, monitoring systems — focuses on perimeter defense, building walls around infrastructure to keep attackers out. But you have to trust that all of those tools work, all of the time.

And, with the growing use of AI by both cybersecurity teams and adversaries, that perimeter is changing shape. Recent incidents, such as a Meta AI Agent inadvertently exposing sensitive company and user data to employees who did not have permission to access it, show how quickly information can be compromised.

Anjuna Security was founded to shrink the number of tools cybersecurity teams need to trust, by solving the underlying problem: protecting data even while it’s being used.

“With the increasing number of attacks, and also the fact that the time to attack is now being accelerated by AI, protection is something that has to be leveled up substantially.”

“With the increasing number of attacks, and also the fact that the time to attack is now being accelerated by AI, protection is something that has to be leveled up substantially,” explains Chief Strategy Officer Mark Bower. “Confidential computing gives you a way to do that. It brings the attack right back to the hardware itself — hardware that’s purpose-built to isolate from threats, from insiders, from authorized code.”

Inside the enclave

Confidential computing allows data to remain encrypted even while it’s being processed by using hardware-based secure environments inside the processor. These are isolated “enclaves” that prevent anything from outside from accessing what’s happening inside.

The underlying hardware of confidential computing has been available for years, built into modern central processing units (CPUs) and graphics processing units (GPUs). Historically, however, using it meant rewriting applications from scratch, which created a barrier to adoption.

Anjuna’s core product, Seaglass, removes that barrier. It acts as a software layer that allows enterprises to run existing applications inside secure enclaves without modifying their code.

“You can think of it like digital battle armor for applications,” says Bower, “giving you control, even if you don’t control the infrastructure.”

Unlocking the confidential cloud

Anjuna was founded by CEO Ayal Yogev, a two-decade expert in enterprise security with product management roles at Imperva, Lookout, OpenDNS (acquired by Cisco) and SafeBreach, and Yan Michalevsky, former CTO, whose doctoral research in security and applied cryptography at Stanford led him to the emerging field of confidential computing.

Anjuna launched as part of Y Combinator’s Winter 2018 class, raising a $3M Seed round in March that year, followed by a $9M Series A in June 2020, and a $30M Series B led by Insight Partners in 2021.

Early traction came from helping organizations move their most sensitive workloads to the cloud.

“We’ve been working with our customers to…solve that last mile problem of cloud migration,” says Bower. “Many organizations still have applications that are stuck in the data center…[due to] risk, controls, compliance, and sovereignty.”

By protecting data even during processing, confidential computing allows organizations operating in sectors with the lowest tolerance for risk —  financial services, government, and defense — to run sensitive workloads, such as financial systems or healthcare analytics, in public cloud environments without exposing them.

Cybersecurity’s AI problem

Agentic AI introduces a new class of risk.

“Almost in every executive conversation that we have…there’s massive concern,” Bower says. “On the one hand, [they must] enable agentic processes. The power of being able to accelerate business and enable new code to be built in seconds is just overwhelming. At the same time, there needs to be controls put in place to limit the risks.”

“It’s like having 1,000 very enthusiastic interns being given a task and going off to do it.”

The challenge is that AI systems don’t behave predictably. “Agents themselves are non-deterministic,” he explains. “You give Agents a goal, and they go figure out how to solve [it]…It’s like having 1,000 very enthusiastic interns being given a task and going off to do it.”

This tension creates a dilemma for enterprises. “If you don’t enable agentic AI, then it’s a career-limiting scenario for most executives. If you do enable agentic AI, it’s career-limiting if you have an outcome that causes a breach,” Bower explains. “You need to convert that to a win-win for the business and security.”

The incorruptible Agent supervisor

Anjuna’s response is to move away from trying to predict behavior and instead control what systems are allowed to do at the hardware level.

Building on its confidential computing capabilities, the company is introducing a new layer designed specifically for AI systems: “an incorruptible Agent supervisor” that governs how Agents interact with data, systems, and credentials.

“You can then unleash the power of the agentic systems without compromising on the guardrails necessary to allow the business to flourish,” says Bower. “That’s where we see this world.”

The system limits access, controls actions, and enforces boundaries in real time, all at the hardware level, rather than through software rules alone.

“By creating this kind of intermediary layer, we’re enabling organizations to then embrace Agents from third parties,” says Bower. “In-house Agents, coding Agents, all those things that cause massive concern for CISOs and so on, can now be actually enabled.”

The year of confidential computing

In April 2024, Anjuna introduced Seaglass AI Clean Rooms in private preview — the foundation for what is now Anjuna Northstar — allowing organizations to collaborate on sensitive data and AI workloads in isolated environments.

A $25M Series B2 that August funded the expansion, alongside an integration with NVIDIA’s Blackwell and Hopper GPUs, bringing confidential computing to high-performance large language models.

For Bower, the trajectory is clear: “When confidential computing first arrived, it was quite arcane, complex and somewhat limited in use…Those days are gone…Now you’ve got this foundational ecosystem…and it’s going to become a must.”

As AI compresses the cycle of idea to code to product, enterprises will have to rethink how they protect data during that process, where it’s stored, and where it’s used. “We think 2026 is the year of confidential computing,” he adds. “It’s here. Now it’s a case of, why wouldn’t you use this?”

*Note: Insight Partners has invested in Anjuna Security.