CybersecurityEnterprise

SecTor 2025 | Scaling the AppSec Program Without Scaling Security Headcount

Black Hat
Black HatMay 24, 2026

Why It Matters

This demonstrates how automation and developer enablement can materially expand AppSec coverage and consistency across large application estates without proportional hiring, cutting costs and accelerating secure delivery. It’s a practical blueprint for organizations fighting security skill shortages while meeting compliance and uptime demands.

Summary

Speakers detailed a five-year engagement where they scaled an enterprise application-security program to cover every application without materially increasing security headcount. They achieved this by embedding automated tooling and AI-driven workflows into the SDLC—automating threat modeling from requirements, shifting security left with developer-facing guidance, and running standardized large-scale testing and remediation pipelines. The solution mixes AI with deterministic if/then automations to translate business docs into security requirements, surface findings to developers, and enforce production policies. The team enforces a strict ‘no criticals in production’ rule while allowing controlled timelines for lower-severity fixes.

Original Description

The ability to scale application security programs, including vulnerability triage and remediation with bots has been proven.
This session will apply a flavor of GenAI, enhanced with proprietary data accumulated through years of very large-scale security deliveries and focus on how to implement the bot(s), what scales can be achieved, and the cost savings and results.
By:
Mario Lauande Lacroix | Senior Security Manager, Accenture
Will Yeager | Security Consulting Manager, Accenture

Comments

Want to join the conversation?

Loading comments...