X
Brian Vlootman had done what the industry recommended.
As CISO of Backbase, an AI-powered digital banking platform serving 100+ financial institutions, Vlootman had implemented developer training, SAST, SCA, threat modeling and secure architecture principles.
"But the realization came that yes, you can do everything perfectly with these tools, but it is not enough," says Vlootman.
Traditional AppSec stops at deployment. Once code shipped to production, Backbase had no visibility into what was actually executing, how it was being attacked, or which vulnerabilities actually mattered.
Vlootman needed a different approach.
Backbase faced what most maturing SaaS companies face:
Production was a black box: Security teams had no insight into which code paths executed, which libraries loaded or how attackers probed applications once deployed
Vlootman realized Backbase needed to do more than chase vulnerabilities; they needed to start managing production risk.
"You should not stop at the SDLC," Vlootman says. "You need to consider the fact that you will end up with vulnerabilities in your production environment anyway. So how are you going to deal with those?"
Vlootman selected Contrast Security's Application Detection and Response (ADR) platform to close the gap between development-time security and production-time risk.
Because ADR instruments applications at runtime, it could be introduced without requiring application code changes, a critical factor for a platform with hundreds of customer-specific deployments.
Unlike traditional AppSec tools that analyze code statically, ADR instruments applications at runtime, revealing which code paths and libraries actually execute in production, which vulnerabilities are reachable and exploitable, how attackers are probing applications and provides real-time blocking of exploitation attempts.
During the proof of concept, Contrast's ADR found a SQL injection vulnerability that had been in production for years and missed by three prior security vendors.
"The first reaction was, wow, this is really something else," Vlootman recalls. "This can find stuff that we would've otherwise missed."
It wasn't just another tool. It was a different category of security.
Developers got their time back: By identifying which vulnerable components were actually executed in production, Backbase eliminated roughly two-thirds of CVEs from triage queues.
"The insight you get from ADR gives you an excellent data point to ignore some CVEs," says Vlootman. "You can eliminate a lot of waste."
When the next Log4j-scale event hits, Backbase will know immediately whether they're affected, and attackers will be blocked while patches are prepared.
Vlootman made a critical decision: Application Detection and Response would be deployed by default across all platform environments, not offered as an opt-in.
Crucially, ADR can be deployed without requiring code changes or redevelopment, eliminating the friction that typically slows security adoption.
"We believed that having ADR in place for our production workloads helps reduce risk on our side, not just the customer side," Vlootman explains.
If it had been optional or required development effort, adoption would have been slow. Teams would only enable it after an incident, when it was too late. By making it default, every new project experiences ADR from development through production, building confidence across teams and eliminating deployment friction.
"Not just with the security team looking at Contrast, but also involving the project teams who need to make the change," Vlootman says. Teams see it work in dev and test before it reaches production, eliminating anxiety about introducing something into the critical path.
As AI accelerates both software development and attack velocity, Vlootman views Application Detection and Response as increasingly non-negotiable.
"If developers do not pay close attention, AI-generated code contains a lot of vulnerabilities," warns Vlootman. "Instead of 1x vulnerable code you get 2x or 5x. Traditional SDLC tools cannot cope."
Meanwhile, attackers using AI are exploiting vulnerabilities faster than ever. "Because AI continues to drive and accelerate the exploitation of these vulnerabilities, the necessity to have ADR to protect your production workloads increases."
Today, Backbase runs Application Detection and Response across its entire platform. "Number one for me would be insight into production," Vlootman says. "The second, especially as a CISO, is the peace of mind that even if you've missed something, you still have another layer of defense. And the third would be the fact that you can leverage ADR at scale, from one to 10 to 100 to a thousand applications."
Schedule a demo and see how to eliminate your application-layer blind spots.
Book a demo
