The situation
A B2B SaaS company (we'll call them "DataCo") based in Bengaluru had completed SOC 2 Type I. Type II observation was beginning. The auditor's verbal feedback was clear: "Your vulnerability management process needs documented continuous improvement. 340 known production vulnerabilities is a hard number to defend at year-end."
DataCo's profile:
- 70 engineers across 14 product teams
- ~80 repositories
- Java + Node.js + Python services on AWS
- 8-month-old SOC 2 Type I in place
- Existing vulnerability backlog: 340 across all severities
- 6 months until SOC 2 Type II observation ended
- Engineering team already complaining about "security blocker" PRs
- No security engineer on payroll
- Budget approved for security tooling but unsure which
The scoping (Week 0)
Bachao.AI's DevSecOps lead did a 2-day workshop with DataCo's engineering directors. Findings:
- 80 repos, ~340 vulnerabilities mostly clustered in 12 critical services
- 50% of "vulnerabilities" were duplicate findings (same package, multiple repos)
- 22% were false positives or not exploitable in DataCo's context
- 28% were genuine and required attention
- Tooling: GitHub for code, GitHub Actions for CI, ECR for containers, AWS EKS for runtime
Implementation (Weeks 1-6)
Week 1-2: CI pipeline security
- Semgrep installed on every repo
- Custom rule set tailored to DataCo's framework patterns (Spring Boot, Express, FastAPI)
- Triage sprint over 4 days: 340 backlog reduced to 187 genuine findings
- Pre-merge gates calibrated
- Snyk integrated across all 80 repos
- Daily Trivy scan on ECR
- Wiz CSPM enabled on AWS
- Centralised dashboard (single pane of glass for vulnerabilities)
- CloudTrail enriched into Datadog Security
- 12 custom detection rules (data exfiltration patterns, anomalous API calls, identity behaviour)
- On-call rotation set up for security events
- First synthetic exercise (red-team-style detection test)
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanResults at 6 months
Vulnerability backlog:
- Start: 340 (after deduplication: 187 genuine)
- End: 38 (80% reduction)
- New introductions per month: dropped from 18-22/month to 4-6/month
- Mean time to remediation: dropped from 84 days to 11 days
- 12 → 47 detection rules
- First simulated attack scenarios detected within target SLOs (most under 5 minutes detection)
- "Security blocker" PR rejection rate: 4.2% → 1.1% (fewer surprises in CI)
- Average PR review time including security checks: increased by 2 minutes (negligible)
- Critical/High vulnerability remediation: moved from incident-response work to in-sprint work
- Auditor noted "documented continuous improvement"
- Vulnerability backlog reduction included as evidence
- Zero findings on the vulnerability management control area
What it cost
| Line item | Year 1 cost |
|---|---|
| Bachao.AI 6-week implementation sprint | ₹6L |
| Bachao.AI monthly retainer (12 months) | ₹18L |
| Tool licences (Semgrep Pro + Snyk + Wiz + Datadog Security) | ₹30L |
| Internal engineering time (triage workshops, runbook reviews) | ~₹8L opportunity cost |
| Total Year-1 investment | ₹62L |
What DataCo's CTO said
"Security as a separate team felt like the answer until we couldn't afford to hire one. Bachao gave us the playbook for security as part of engineering. The dashboard, the runbooks, the on-call — our engineers now own it. Bachao tunes and reviews monthly. Our SOC 2 auditor stopped asking questions about vulnerability management because the data spoke for itself."
Pattern this engagement followed
Common shape for Bachao.AI DevSecOps engagements:
- SaaS engineering team with active engineering velocity
- SOC 2 / DPDP / ISO 27001 compliance event creating pressure
- No dedicated security engineer
- Tooling budget exists but tool selection unclear
- Need for documented continuous improvement
Schedule the DevSecOps scoping workshop →
Related: DevSecOps Methodology · DevSecOps for Indian Fintech
