Croatian startup rmBug secures 400 thousand euros in pre-seed investment

Croatian startup rmBug, founded by Mario Đanić and Luka Kladarić, has secured 400 thousand euros pre-seed investment from the Silicon Gardens fund and entrepreneur Damir Sabol, co-founder of Iskon, Microblink, and Photomath, which was acquired by Google in 2023 in the largest technology exit in Croatia to date.

The company rmBug is developing a tool that addresses one of the most common yet most neglected security issues in software companies – uncontrolled and invisible access to production databases.

Every other system in the modern tech stack has transitioned to identity-based authentication for years: SSO for applications, IAM for cloud resources, certificates for services. Databases are the exception. They still operate on shared passwords that circulate via Slack, are obtained on the first day of work, and are never changed because someone once tried and crashed production. Consequently, almost no one hacks databases; they log in with a password that everyone already knows.

The consequences are always the same: three engineers share one set of credentials for the production database, someone leaves the team, and no one revokes their access, the audit log exists, but no one reads it. Something goes wrong, and the question is always the same: who was inside, what did they do, and when? In most companies, no one can answer that question.

– At every workplace, the same pattern was observed: security tools built for compliance theater, not for the engineers who have to use them daily. That’s why we built something different – says Mario Đanić, co-founder and director of rmBug.

rmBug consists of three components: an agent on the engineer’s computer that manages authentication, an gateway that is set up within the company’s infrastructure and never exits to rmBug’s cloud, and a dashboard for managing access rules and reviewing audit logs. Engineers authenticate through the existing identity provider, and all queries to the database pass through the gateway, which logs and controls them. In doing so, they continue to use the tools they are accustomed to – psql, MySQL CLI, TablePlus, or DBeaver – without any change in their workflow.

– If a tool requires you to change your workflow, engineers will bypass it. Setting everything up takes one afternoon, not months. Engineers gain access to the database without ever seeing the actual credentials – explains Luka Kladarić, CPTO and co-founder of rmBug, who led infrastructure at the American Noom, where database access is primarily a HIPAA compliance problem, and was CTO of Hitlista and engineering lead at Meetup.

The product is currently in the validation phase with its first design partner: Sofascore, a global sports data platform, is using rmBug in a pilot project with engineering and support teams on real production traffic. The focus is on usability – how engineers and support staff actually work with the tool every day – before the launch of rmBug on March 31 and the acquisition of a larger number of users.

Moreover, the privileged access management (PAM) market has always been enterprise territory. CyberArk, BeyondTrust, StrongDM, HashiCorp Boundary: tools built for security teams with six-figure budgets and months for implementation. For companies with ten to two hundred engineers, there has never been a serious option. rmBug targets precisely that segment – the vacuum left behind by enterprise solutions.

Estimates suggest that the PAM market could grow from around five billion dollars today to over 20 billion by the end of the decade.

Additional impetus for the growth of this market comes from regulatory pressure. The NIS2 directive came into effect in October 2024, the financial regulation DORA in January 2025, and PCI DSS 4.0 in March 2025, all with specific penalties that in some cases can reach ten million euros or two percent of global revenue.

Therefore, companies that have delayed addressing database access issues no longer have the luxury of waiting, and PAM enterprise tools still do not fit into their business.