How did you keep developer velocity while adding security gates?

We pushed checks as left as possible: pre-commit for secrets and simple Semgrep rules, CI for heavier scans. We curated rules (14 custom Semgrep rules) to reduce false positives and staged warn→fail over three weeks. MTTR dropped while PR cycle time stayed within ±6% of baseline.

Why Kyverno over OPA Gatekeeper?

Both work. Kyverno’s policy-as-CRD model and built-in `verifyImages` made Cosign enforcement straightforward for the team. If you already have Gatekeeper expertise and a Rego library, stick with it.

We trialed a DAST scanner but the signal-to-noise was poor for APIs behind mTLS. We focused on SAST, supply chain, IaC scanning, and runtime detection (Falco). For public-facing web apps, we’d pair this with targeted DAST and canary endpoints.

What’s the business impact you actually measured?

Security incident MTTR equivalents, pen test findings reduced from 12 high to 1, and policy coverage (0 public buckets, 0 long-lived keys). Finance used peer incident data to estimate avoided loss in the low seven figures for a data exposure event.

Case-studies · Nov 22, 2025 · 10 minute read

The Fintech Rollout That Didn’t Breach: Security‑First Dev That Paid Off When Prod Got Probed

A scale-up in payments went from “please don’t let us be on Have I Been Pwned” to measurable risk reduction by baking security into the dev loop. Here’s exactly what we did, what it cost, and what it saved.

Back to all posts

The Fintech Rollout That Didn’t Breach: Security‑First Dev That Paid Off When Prod Got Probed

Key takeaways

Implementation checklist