I had the pleasure of attending Nuremberg’s it-sa Expo&Congress 2025 in early October to gather insights into the state of cybersecurity. It was a chance for me to touch base and meet up with a lot of companies in the niche security sub-markets of Secure Elements (SEs), Hardware Security Modules (HSMs), Public Key Infrastructure (PKI) applications, trust and identity management, and Post-Quantum Cryptography (PQC). Here’s a roundup of some of the hot cybersecurity companies I met up with this year.
Table 1: Cybersecurity Companies and Their Products
| Company | Primary Focus Area | Key Security Products / Solutions | Notable Features or Technologies |
|---|---|---|---|
| Tropic Square | Secure Elements (SEs) | TROPIC01 Open-Source Secure Element | Built on RISC-V, tamper-resistant, transparent & auditable architecture; used in hardware wallets (Trezor) and future smartphone/HSM integrations. |
| Nitrokey | Hardware Security Modules (HSMs) | NetHSM (Open-Source HSM) | Fully open-source, customizable, low-TCO design; supports biometric ID projects; alternative to proprietary HSMs. |
| Utimaco | HSMs & Trust Services | u.trust CSe-Series HSM, Enterprise Key Manager as a Service (EKMaaS) | FIPS 140-3 L4, PCI PTS HSM v.4 certified; PQC-validated; supports multi-tenant HSMs (up to 31 containers), REST APIs, PKI CA deployment, BYOK for Azure. |
| CRYPTAS | Trust & Identity Management | primeSign eSignature Platform, CLM Solutions | Qualified trust services under eIDAS 2; supports eID, certificate lifecycle management, and EU regulatory compliance (CRA, NIS2, DORA). |
| Keyfactor | PKI, CLM & PQC | Keyfactor Platform, Crypto-Asset Discovery & Management | Comprehensive identity and PKI management for IoT, PQC, AI, and data centers; strong focus on regulatory compliance and crypto-agility. |
| GlobalSign | PKI & Digital Certificates | PKI & S/MIME Certificate Services, Integration with NoSpamProxy | Provides certificates for secure email (PGP, S/MIME); API-rich platform with VAR ecosystem; scalable global PKI deployment. |
| PQShield & Cryptomathic | PQC & Key Management | UltraPQ PQC Library (PQShield), CrystalKey360 Platform (Cryptomathic) | Combines PQC algorithms with key management; provides crypto-agility, cross-HSM/cloud governance, policy control. |
| DEVITY | IoT & Industrial Identity Security | KEYNOA IoT Identity Management SaaS | Automated zero-touch onboarding; integrates TPMs and machine PKI; supports OEM device identity lifecycle management. |
| Worldline | Payment & IoT Security | ADYTON HSM Line, IoT PKI/CLM Collaboration with intelliCard | Trusted hardware for secure transactions; backbone PKI for IoT device trust; integrates PKI and CLM for IoT environments. |
| Siemens | OT & Industrial Cybersecurity | SINEC Secure Connect, SINEC Security Suite (Inspector, Monitor, Guard) | Enables Zero-Trust OT networks, vulnerability management, and asset tracking; integrated with ProductCERT and 24/7 OT SOC (Accenture partnership). |
| Red Alert Labs | IoT Security Compliance & Evaluation | CyberPass Compliance Platform (SaaS) | Centralized AI-assisted compliance as a service; supports certification labs and standards bodies; includes consulting, training & evaluation services. |
Security Hardware Companies
Tropic Square
Czech startup Tropic Square was there to showcase its world’s first commercially available open architecture Secure Element (SE), the TROPIC01, which went into production in February 2025. It entered volume production just last month (September 2025) and is available globally through a growing network of distribution partners.
Unique on the market, the TROPIC01 is an open-architecture tamper-resistant SE built on RISC-V, fully auditable and transparent for developers and security researchers. The problem that Tropic Square is aiming to solve is the limited device integrity in the industry; the company believes in enabling verifiability by opening up the chip’s source code and openly inviting independent researchers to inspect it and provide feedback.
This is a distinct departure from other SEs on the market, all of which are based on proprietary tech. Tropic Square was showcasing its wafer and development board, as well as current partners for future collaborations for use in smartphones, security keys, and even HSMs. One such partner is Contentwise, present at the booth, which did a deep dive on the TROPIC01 in comparison to those offered by competitors NXP (EdgeLock SE050C) and STMicroelectronics (STSAFE-A120).
Nitrokey
Nitrokey, a German IT security company, was another partner showcasing alongside Tropic Square. Nitrokey develops and manufactures the industry’s only open source HSM, the NetHSM. Appearing on the scene a few years back, the startup has seen growing interest, despite the very closed and proprietary HSM world.
Some of its key implementations include biometrics identity projects in Africa, which augur well for future projects. Similarly to Tropic Square, its open-source architecture allows for independent audits and easier customization, at a much lower Total Cost of Ownership (TCO).
Perhaps a decade ago, such a product would have struggled in the highly-rigid HSM market, but today, with demand for trusted operations not just in regulated and sensitive environments, there is a place for companies like Nitrokey to thrive.
Further, Nitrokey is working toward security certifications of the NetHSM, so it will soon join the certified ranks of the other HSMs in the market, paving the way to be a strong competitor with an open-source differentiator.
Utimaco
At the opposite end of the HSM spectrum, I met up with Utimaco – global leader in the space offering a myriad of HSM flavors (for payments as well as general purpose), as well as applications and services in the trust space.
Two significant announcements were in order for the company.
The first on the launch of its latest generation of general purpose HSM, the CSe-Series of its u.trust General Purpose HSM Platfform . Successor to the CryptoServer CSe HSM and latest addition to the high-performant multi-tenant capable u.trust GP HSM Platform, this new machine packs a security punch, with all the latest - and highest! - certifications in process (FIPS 140-3 level 4 with PQC validation, PCI PTS HSM v.4, etc.). It is designed on a highly flexible architecture (supporting multi-tenancy, with up to 31 fully isolated containerized HSMs) with a lot of new features: REST APIs, 5K RSA 2k key transactions, Quantum Protect application package extension, PKI root CA deployments, among others. It is catering to myriad trust-based applications in addition to general purpose enterprise and government, including automotive, IoT (smart meters, outdoor installations) and telco solutions.
The second announcement is for their latest integration of Enterprise Key Manager as a Service (EKMaaS) with Microsoft Azure to address BYOK use cases. Anchored in Utimaco’s data center hosted physical u.trust GP HSMs and track-proven Enterprise Secure Key Manager, EKMaaS is one of a series of cloud-based services enabling cybersecurity without on-premises installations to cater the growing market segment focused on cloud and hybrid deployments. While the trend for crypto management (keys, certificates, etc.) is to the cloud, there remains strict security requirements for anchoring trust with dedicated hardware, wherever it is based. The EKMaaS allows the client to define its own master key and hold it separately from the cloud, certainly a singular feature in the market currently with regards to key ownership.
Trust Applications Companies
Trust-based applications can be built on security-focused hardware, and there were plenty of cybersecurity vendors on the floor showcasing their solutions, notably in the identity space.
CRYPTAS
First up was CRYPTAS, with a specialty on establishing trust services through encryption technologies. This small, innovative but longstanding European security company, headquartered in Austria, and recently partially acquired by eMudhra, focuses on signing solutions through its primesign brand, notably for strong authentication, credential management, certificate lifecycle management, PKI and key management.
The vendor offers enterprise and qualified trust services as well, meaning its Qualified Signatures and wallets according to eIDAS 2 are ready for EU citizens. CRYPTAS operators both its own as well as partner solutions, and can also offer CLM for publicly issued certificates.
Two key trends driving the market for CRYPTAS are automation and services, underpinned by demands for better central management, both in the public and private space. And of course, the top concern for many of the company's prospects is regulatory and standards compliance, in the EU with instruments like CRA, NIS2 and DORA, and more broadly with advancing PQC demands. This is raising awareness for crypto asset discovery and management.
KeyFactor
In the same, slightly broader, market, I spoke with Keyfactor, who is seeing similar trends in terms of regulatory headwinds driving interest in identity solutions. At the forefront of the PKI and CLM market, Keyfactor has been highly proactive in targeting new upcoming security use cases to drive value for their clients, leveraging both their more traditional solutions around PKI and certificate management, but also with the latest addition of tools around cryptographic discovery (through the recent acquisition of InfoSec Global). With dedicated focus, KeyFactor has developed solutions supporting myriad cybersecurity applications and technologies, including machine identities, IoT, crypto asset discovery and asset management, PQC, data centers, agentic AI, among others.
GlobalSign
A behemoth in the PKI space, GlobalSign was another cybersecurity vendor I had the chance to speak with. Co-exhibiting with its partner NoSpamProxy, an email security gateway and cloud service providing anti-spam and malware filtering, as well as Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP) encryption.
GlobalSign is NoSpamProxy’s certificate partner, with direct integration into NoSpamProxy, supplying S/MIME certificates for issuance and lifecycle management. The big push on GlobalSign’s end is for agility, notably to enable the company to scale global PKI adoption, reach new verticals, and localize customer engagement. Therefore, there is a growing importance of its own certificate lifecycle solutions like its Certificate Automation Manager and LifeCycleX, as well as Technology Alliances, which are central to GlobalSign’s go-to-market strategy.
GlobalSign recognizes that these alliances are essential to meeting customer requirements with the ever-shortening certificate lifecycle. Its strategy can leverage its strength as a CA leader, underscoring its trustworthiness for integrated cybersecurity and identity solutions. With an API-rich context, GlobalSign can meet a broader variety of cybersecurity demands for customers
PQShield and Cryptomathic
Staying on the topic of key management, I also stopped by a shared booth from PQShield and Cryptomathic. PQShield is one of the few Intellectual Property (IP) providers of PQC algorithms, with one of the broadest suites of optimized libraries for the various National Institute of Standards and Technology (NIST) standards, packaged for different use cases (e.g., speed, security, or size) and applications (embedded, system level, platform, performance, etc.).
Cryptomathic, on the other hand, has dedicated expertise in key management, signing, card issuance, and mobile app security. The partners were showcasing Cryptomathic’s CrystalKey360, a platform that provides the policy, orchestration, and audit layer that governs how keys and algorithms are used across HSMs, cloud key stores, and confidential-computing environments. In a single console, teams can discover where legacy algorithms are still used, define hybrid policies, stage and approve changes with dual control, and roll out updates across applications with tamper-evident audit trails.
For security leaders facing DORA, NIS2, and long crypto deprecation windows, the partnership between PQShield and Cryptomathic turns PQC migration from a code rewrite into a governed change process.
Companies Protecting IoT & Industrial Environments
DEVITY
Moving onto the machine space, but still staying in the key management field, I met up with DEVITY, a German cybersecurity focusing on trust and identities for industrial and IoT devices. The company offers services (risk analysis, Proofs of Concept (PoCs), and custom and managed PKI services), but at it-sa, it was showcasing its software solution—KEYNOA—an automated zero-touch onboarding and identity management solution for IoT devices.
Working directly with Original Equipment Manufacturers (OEMs) to build a chain of trust, DEVITY can help by anchoring trust right in the hardware (e.g., with Trusted Platform Modules (TPMs)), matching IDs with serial numbers, pre-configuring the security policies, and integrating into a machine PKI system to provide comprehensive ID management for devices.
Offered as a Software-as-a-Service (SaaS) solution, KEYNOA covers the breadth of requirements for deploying comprehensive security across the different stages of life, from secure production to lifecycle management.
Worldine
Payment security leader Worldline was also present at the expo, showcasing its latest innovations in secure payments and digital transactions, including its ADYTON HSM line of products that provide the underlying trusted hardware. Most interestingly, circling back to the IoT space, was a joint session with Intellicard (a Swiss-based company specializing in identity security solutions).
The session looked specifically at PKI and CLM for IoT solutions, with Worldline providing the backbone PKI (anchored in its HSM), and Intellicard providing the CLM. It underscored how such technologies can provide the basis for robust device identity and trust within IoT environments.
Siemens
Diving into the maelstrom of industrial environments, I attended the Siemens analyst event there and got a dedicated tour of their booth and demos from participating partners. With some highly detailed presentation on some of the firm’s latest announcements, I got a deeper dive into Siemens’ new virtual overlay network to enable zero-trust implementations in Operational Technology (OT) environments. Billed under the SINEC Secure Connect brand, this includes a series of tunnelers, edge routers and network controller capabilities for the control plane, which then enables a protected communication flow across the data plane. Accompanied by the SINEC Security software suite which includes an inspector (for testing), monitor, and guard.
The latter, SINEC Security Guard, is an integrated vulnerability management workflow, pulling information from Siemens own ProductCERT as well as other sources to match vulnerabilities with asset inventory, prioritize and plan mitigation measures, such as asset updates and configuration changes. Siemens is in fact the only industrial automation company to openly provide information on its own product vulnerabilities to third parties, which they can use also commercially, a laudable effort which other industrial automation companies should implement.
Beyond the dedicated technology solutions, Siemens also showcased its expertise in OT security, with two distinct service highlights. The first was from Siemens Advanta, the dedicated consulting and implementation business focused on IoT and digital transformation, on how it can help build customized OT governance programs and implement them into customer operations. The second was its dedicated 24/7 OT SOC as a Service, which not only addresses the growing need for continuous threat management, but also regulatory compliance. Siemens also collaborates with Accenture to deliver comprehensive converged SOC services, combining both IT and OT expertise.
Overall, the topic of security regulation and compliance (current, in process, and upcoming) was a recurring theme throughout my discussions at it-sa. Standards (FIPS 140-3, IEC 62443, EUCC/ISO/IEC 15408, ETSI 303 645, NIST PQC), mandates (NIST SP 800-207, NERC CIP, KRITIS), and regulations (eIDAS 2.0, NIS2, CRA, DORA, RED, PSD3) result in a real avalanche of instruments that can be hard to keep track of if you’re not in the field.
Red Alert Labs
Rounding up with Red Alert Labs (last in this write-up, but certainly not least), this is a cybersecurity company focused on product security compliance—clearly a very hot topic. More distinctly looking at IoT product security, the firm offers four core activities: security consulting, evaluation, training, and innovation, embodied by its SaaS-based platform, CyberPass.
Red Alert Labs aims to simplify the product compliance process for companies with its CyberPass offering. By integrating support from industry actors (certification labs, public bodies, and standards organizations), it marries the software platform, centralization, and AI assistance to help streamline the security evaluation process.
Additional security services can complement the platform (training, technical support), but the goal is to offer managed compliance as a service, a truly innovative way of enabling and simplifying the compliance road for those who need to meet standards and regulatory requirements.
Overall, the it-sa Expo&Congress was certainly worth the time to attend. I saw some great demos and products, and had many engaging discussions with passionate and smart representatives in the cybersecurity industry about the technologies and markets that are at the heart of digital trust.
