We've been doing NHI since 2016
We've been doing NHI since 2016
Dylan Ayrey, Brad Larsen, & Zach Rice
October 31, 2025
This post was co-authored by 3 of the foremost experts in secret scanning: Dylan Ayrey (author of TruffleHog), Zach Rice (author of gitleaks), and Brad Larsen (author of Nosey Parker).
The term Non-Human Identity (NHI) has rapidly gained traction in cybersecurity. It’s the new umbrella term for machine identity. This new terminology reflects a growing recognition that machines, just like humans, need identities to authenticate, authorize, and interact securely within systems.
If you didn’t know, machine identities are a mess — they take on many forms. Sometimes they’re directly attached to a secret, sometimes they’re not. Sometimes they’re even attached to human identities.
Service accounts like in GCP, where one identity can have multiple API keys.
Standalone keys like a Stripe API key, where the key is the identity.
Independent machine identities like a GitHub App installation tokens, which carry their own permissions.
Human-linked credentials used by machines like a GitHub personal access token (PAT), where the key inherits a human’s permissions and acts as an extension of that user, even when the activity is automated.
This overlap is what makes NHI hard.. Some credentials behave like full-fledged machine identities, while others blur the line between human and machine.
An entire industry has emerged to make sense of this landscape, focused on the provisioning, management, inventory, and revocation of these sensitive credentials and more.
But for those of us who have been in the trenches for years, this isn't a new problem. Before "NHI" became a buzzword, we called it “machine identity” and "secrets detection/analyisis." And we, the authors of this post, have been building the tools to solve this problem since the very beginning.
When we started, our mission was simple: find leaked secrets. The industry might have evolved language for it, but the fundamental challenge remains the same. However, the conversation around NHI has correctly identified that true management goes far beyond simple detection.
Simple detection techniques exhaust security teams with false positives
It’s easy to find strings that resemble secrets using regular expressions or entropy-based checks. But these approaches cast far too wide a net, generating an overwhelming flood of false positives, which create crippling alert fatigue. When security teams are forced to manually sift through thousands of non-issues, they inevitably miss the one that matters.
This means that an effective NHI security program involves not just detecting possible secrets but also integrating with the provider, validating it’s live, analyzing what access it has, and articulating its risk.
Liveness checking solves alert fatigue
At Truffle Security, we understood this challenge from day one. Finding a key is only step one; the crucial next step is checking if the key actually works. This is liveness checking, the most important capability in modern secret detection.
Liveness checking transforms your security posture by:
Eliminating False Positives: By actively verifying if a found secret can authenticate against its respective service, we can confidently discard false positives and focus exclusively on real, active leaks.
Confirming Remediation: When you revoke a leaked secret, how do you know the job is done? Rather than relying on human word-of-mouth, automated liveness checking provides definitive proof. A subsequent scan will show that the secret has (or has not) been revoked, closing the loop on remediation.
Demonstrating Impact: A verified, live secret isn’t just a theoretical risk; it's an actual exploitable problem. Liveness checking allows security teams to accurately prioritize remediation efforts based on tangible impact. (There are other ways to prioritize exposed secrets too!)
As part of our ongoing research and development, we've built the most comprehensive liveness verification system in the industry. While other tools stop at detection, TruffleHog is the only open-source scanner in the NHI space that performs liveness checking for every secret it detects.
This approach aligns with modern security frameworks, including the OWASP Top 10 for Non-Human Identities, which explicitly calls out the danger of leaked secrets. The only way to manage that risk effectively and at scale is to continuously verify the status of every potential secret in your environment.
We have decades of NHI experience
Between the three of us, we represent a combined 21 years of dedicated work in what is now called the NHI space:
Dylan Ayrey wrote the first version of TruffleHog back in 2016 making it one of the earliest and now most popular secrets scanners. Today, TruffleHog is powered by an engine with over 800 detectors and over 40 secret analyzers. It is the only secret detector that includes liveness checking for all supported secret types. Dylan's Cofounder Dustin Decker has been also helping to maintain TruffleHog for the past 4 years building off his decade of cybersecurity experience
Zach Rice created Gitleaks in 2018, focusing on developer experience, portability, and fine-grained configurability that allows teams to tune detection rules precisely to their environment and workflow.
Brad Larsen began writing secret detectors in 2021 and released the Apache-licensed Nosey Parker in 2022. It is engineered for raw speed and scalability, making it an indispensable tool for offensive security use-cases and "assumed breach" investigations.
Between these three tools there have been billions of secret scans performed.
Truffle’s Future
While the term NHI may be new, the principles of securing sensitive information are not. We’ve been building the tools to solve this problem for nearly a decade. And today, TruffleHog stands as the most mature and effective solution for automated detection and liveness checking of Non-Human Identity assets.
In the coming years, we’ll continue to release new categories of tooling to further enable our open-source users and enterprise customers to manage NHI more efficiently throughout its lifecycle.
This post was co-authored by 3 of the foremost experts in secret scanning: Dylan Ayrey (author of TruffleHog), Zach Rice (author of gitleaks), and Brad Larsen (author of Nosey Parker).
The term Non-Human Identity (NHI) has rapidly gained traction in cybersecurity. It’s the new umbrella term for machine identity. This new terminology reflects a growing recognition that machines, just like humans, need identities to authenticate, authorize, and interact securely within systems.
If you didn’t know, machine identities are a mess — they take on many forms. Sometimes they’re directly attached to a secret, sometimes they’re not. Sometimes they’re even attached to human identities.
Service accounts like in GCP, where one identity can have multiple API keys.
Standalone keys like a Stripe API key, where the key is the identity.
Independent machine identities like a GitHub App installation tokens, which carry their own permissions.
Human-linked credentials used by machines like a GitHub personal access token (PAT), where the key inherits a human’s permissions and acts as an extension of that user, even when the activity is automated.
This overlap is what makes NHI hard.. Some credentials behave like full-fledged machine identities, while others blur the line between human and machine.
An entire industry has emerged to make sense of this landscape, focused on the provisioning, management, inventory, and revocation of these sensitive credentials and more.
But for those of us who have been in the trenches for years, this isn't a new problem. Before "NHI" became a buzzword, we called it “machine identity” and "secrets detection/analyisis." And we, the authors of this post, have been building the tools to solve this problem since the very beginning.
When we started, our mission was simple: find leaked secrets. The industry might have evolved language for it, but the fundamental challenge remains the same. However, the conversation around NHI has correctly identified that true management goes far beyond simple detection.
Simple detection techniques exhaust security teams with false positives
It’s easy to find strings that resemble secrets using regular expressions or entropy-based checks. But these approaches cast far too wide a net, generating an overwhelming flood of false positives, which create crippling alert fatigue. When security teams are forced to manually sift through thousands of non-issues, they inevitably miss the one that matters.
This means that an effective NHI security program involves not just detecting possible secrets but also integrating with the provider, validating it’s live, analyzing what access it has, and articulating its risk.
Liveness checking solves alert fatigue
At Truffle Security, we understood this challenge from day one. Finding a key is only step one; the crucial next step is checking if the key actually works. This is liveness checking, the most important capability in modern secret detection.
Liveness checking transforms your security posture by:
Eliminating False Positives: By actively verifying if a found secret can authenticate against its respective service, we can confidently discard false positives and focus exclusively on real, active leaks.
Confirming Remediation: When you revoke a leaked secret, how do you know the job is done? Rather than relying on human word-of-mouth, automated liveness checking provides definitive proof. A subsequent scan will show that the secret has (or has not) been revoked, closing the loop on remediation.
Demonstrating Impact: A verified, live secret isn’t just a theoretical risk; it's an actual exploitable problem. Liveness checking allows security teams to accurately prioritize remediation efforts based on tangible impact. (There are other ways to prioritize exposed secrets too!)
As part of our ongoing research and development, we've built the most comprehensive liveness verification system in the industry. While other tools stop at detection, TruffleHog is the only open-source scanner in the NHI space that performs liveness checking for every secret it detects.
This approach aligns with modern security frameworks, including the OWASP Top 10 for Non-Human Identities, which explicitly calls out the danger of leaked secrets. The only way to manage that risk effectively and at scale is to continuously verify the status of every potential secret in your environment.
We have decades of NHI experience
Between the three of us, we represent a combined 21 years of dedicated work in what is now called the NHI space:
Dylan Ayrey wrote the first version of TruffleHog back in 2016 making it one of the earliest and now most popular secrets scanners. Today, TruffleHog is powered by an engine with over 800 detectors and over 40 secret analyzers. It is the only secret detector that includes liveness checking for all supported secret types. Dylan's Cofounder Dustin Decker has been also helping to maintain TruffleHog for the past 4 years building off his decade of cybersecurity experience
Zach Rice created Gitleaks in 2018, focusing on developer experience, portability, and fine-grained configurability that allows teams to tune detection rules precisely to their environment and workflow.
Brad Larsen began writing secret detectors in 2021 and released the Apache-licensed Nosey Parker in 2022. It is engineered for raw speed and scalability, making it an indispensable tool for offensive security use-cases and "assumed breach" investigations.
Between these three tools there have been billions of secret scans performed.
Truffle’s Future
While the term NHI may be new, the principles of securing sensitive information are not. We’ve been building the tools to solve this problem for nearly a decade. And today, TruffleHog stands as the most mature and effective solution for automated detection and liveness checking of Non-Human Identity assets.
In the coming years, we’ll continue to release new categories of tooling to further enable our open-source users and enterprise customers to manage NHI more efficiently throughout its lifecycle.
Thoughts, research findings, reports, and more from Truffle Security Co.
The Dig
Thoughts, research findings, reports, and more from Truffle Security Co.
STAY STRONG
DIG DEEP
DOING IT THE RIGHT WAY
SINCE 2021
© 2025 Truffle Security Co.
STAY STRONG
DIG DEEP
© 2025 Truffle Security Co.