Case Study · US Regional Health Insurer

Health Provider Preps for the Next React4Shell

Kusari unifies visibility of an enterprise-wide software supply chain.

Industry

Health Insurance Provider

About

5,000-employee health insurance organization
Operates a large, complex application ecosystem with modern CI/CD pipelines, containerized workloads, and a broad mix of open source and third-party dependencies
Security team uses best-of-breed tools for SAST, SCA, container scanning, and dependency management — yet visibility was fragmented across systems
Responding to the next security exploit or attack without a consolidated view of their environment was no longer an option

Key challenges

What software and dependencies (especially transitive ones) are running right now?
Where is a vulnerable package deployed — across apps, images, and environments?
How exposed are we when the next React4Shell-level vulnerability drops?

Valued outcomes

Kusari is the central system of record for software supply chain visibility
Ingests SBOMs generated by tools they already trust
Normalizes data across applications, images, and pipelines
Self-service global search by package, vulnerability, component, and lifecycle status
Fast, precise answers during high-pressure vulnerability events

In our customer's words:

Serving 3.6M members across several states, we invest heavily in our application security, but had a gap with transitive and indirect dependencies. The last thing we wanted was another exploit, like React4Shell, without Kusari in place.

Unlike traditional SCA or container scanning tools, Kusari is not another scanner. Kusari fills the visibility gap that only becomes obvious when everything is on fire.

What makes us different

Tool-agnostic ingestion. Kusari works with any tool in the development pipeline — ingest existing SBOMs or generate them from scratch and augment over time.
Enterprise-wide visibility. Microservices, repos, images, and pipelines together — not pages and pages of findings without signals or context.
Vulnerability-first search. Identify where vulnerabilities exist (not just that they exist) and know if you are at risk.
Lifecycle awareness. License information, end-of-life, and deprecation are first-class signals.
Designed for incidents. Built to immediately answer "are we affected?"
Ease of use. Integrates directly with existing tools and workflows, deploys in minutes, delivers immediate results.
Autonomous remediation. Kusari AI surfaces and prioritizes risks with instant remediation feedback.

Want to see how it would land in your environment? Schedule a demo and speak with one of our founders.

What makes us different

Want to learn more about Kusari?