Vulnerabilities: Gone in 30 Days - Kusari, on Kusari

Even Kusari, a company built to secure the software supply chain, started with vulnerabilities to confront. When we turned our platform inward, we found over 230 unresolved vulnerabilities. Many were buried deep within transitive dependencies, nested inside legacy base images, and obscured by the sheer complexity of our growing environment. Traditional scanning tools gave us quantity, but not clarity, and certainly not the strategic focus we needed.

‍

Approach

Our transformation began by analyzing our entire software environment through Kusari's lens of visibility, risk prioritization, and live attribution. Here’s how we did it:

Step 1: Establish visibility and prioritize what matters

‍
We used the Kusari Score to contextualize vulnerabilities. Not just by volume, but by severity, exploitability, and reach. This let us focus immediately on the issues that posed real risk.

‍

Step 2: Automate enforcement and stop vulnerabilities at the gate

‍
We implemented automated enforcement policies to block any artifact or code with a Kusari Score above our defined threshold. Risky components were prevented from ever reaching production, automatically and reliably.

‍

Step 3: Integrate directly into developer workflows
‍

With GitHub integration and real-time Slack alerts, developers received policy enforcement feedback exactly where they work. No added toil, no waiting for downstream reviews. Just secure code, delivered faster.

‍

Step 4: Trace vulnerabilities from build to runtime
‍

Through end-to-end attribution, every vulnerability was live-traced and mapped back to its origin during build to where it lived in runtime environments. This gave our teams a real-time, accurate map of risk across our AWS cloud environment.

‍

All of this operated seamlessly in our existing cloud-native architecture. With Kusari, rapid response is the default. We enforce policies and deploy protections instantly and without disruption, which is critical for keeping pace with evolving threats that change by the hour.

‍

Results

The results were not just improvements — they were transformational.

• We reduced vulnerability count from 230+ to under 30 in just three weeks.
  
  
• We eliminated all high-severity vulnerabilities completely.
  ‍
• Average vulnerability lifespan (Mean Time to Remediate, or MTTR) dropped from 110 days to 1 day.
  ‍
• Our deployment velocity skyrocketed from 30 to an astounding 250 deployments per week.

‍

Beyond numbers, we achieved unified visibility across engineering and security — turning fragmented risk management into a real-time, proactive security posture. Unified visibility across engineering and security meant there were no longer delays, bottlenecks, or misalignments between teams. No more developers waiting for a security review or digging through JSON reports to find what needs to be fixed. Security became embedded into our workflows, not bolted on after the fact.

‍

Even more importantly, this wasn’t a one-time clean-up. The Kusari Platform fixed the initial problem, and makes it easy for us to maintain our low vulnerability count. Anything still detected is either short-lived or non-production, caught and controlled before reaching customer-facing environments. With live attribution, policy-based enforcement, and real-time visibility across builds and runtime, we’ve made secure delivery the default. It’s how we stay ahead of risk, and how our customers do too.

‍

Key Takeaway

Our own journey demonstrates that security doesn't need to be a blocker. Done right, security is a catalyst, accelerating software delivery, boosting developer productivity, and creating a competitive advantage.

‍

At Kusari, we don’t just advocate for secure, real-time software delivery; we live it. And it’s the same exact path we guide our customers through every day. When visibility, enforcement, and rapid response are baked into the heart of your software delivery process, security enables great outcomes for your business.

‍

Want to eliminate the real supply chain risks coming at you nonstop? Want security that can empower your organization to focus on what matters? Reach out and speak to one of our founders to start cutting through the noise today. And, register for our upcoming livestream!