Copado, headquartered in Chicago, Illinois, is an enterprise software company providing a comprehensive end-to-end DevOps platform that streamlines application coding, testing, and deployment for the Salesforce cloud. Its platform, Copado Org Intelligence™, maps every dependency, relationship, and hidden risk to give organizations the ability to deploy new code with confidence and speed. Copado operates globally in North America, Europe, and Japan, with a workforce of 490 people.
Security Applications Lead Engineer Robert Roldan Notario is responsible for driving the strategy and implementation of security controls across the software development lifecycle, ensuring applications are secure from design to deployment. Part of that responsibility includes ensuring that Copado meets its service level agreements (SLAs) to customers.
The Challenge
Copado operates a sophisticated, multi-cloud environment spanning AWS and GCP, designed to meet the highest industry standards. Having already achieved FedRAMP Moderate ATO, the team had established a robust security foundation. However, as the organization scaled, the challenge shifted from establishing security to optimizing operational efficiency. The legacy security stack, while effective at identifying risks, consisted of siloed point solutions. As the environment grew, these tools generated thousands of alerts daily. While these reflected a high-coverage security net, the volume of data created “noise” that made it labor-intensive to isolate the most critical risks. The goal wasn’t to find security—it was to streamline it.
As Copado embraced AI-driven development, the sheer speed of code generation introduced a new scale of vulnerabilities. Even with an ATO in place, the security team found themselves spending excessive time manually correlating data across environments, including AWS and GCP GovCloud.
Before integrating Armis, prioritization was often driven by the volume of findings rather than a unified, context-aware risk score. To maintain their commitment to customer SLAs and regulatory frameworks, Copado sought a way to move beyond manual tracking.
Challenges
-
Scaling High Standards: Maintaining the rigorous security posture required for FedRAMP Moderate ATO while managing rapid growth -
Operational Noise: High-fidelity security controls generated a volume of alerts that required more efficient triaging to maintain developer velocity
-
Evolving Threat Landscapes: Proactively managing the security implications of AIgenerated code at scale
-
Orchestrating Visibility: Integrating visibility across a complex multi-cloud environment (AWS and GCP GovCloud) into a single, unified source of truth
-
Optimizing Remediation: Moving from manual tracking to automated, risk-based prioritization to consistently exceed SLAs
Results
-
Prevented scalable risk exposure by detecting vulnerabilities in application code before production -
Aligned security alerts with the right teams, reducing friction and shortening remediation time
-
Cut alert noise by up to 70%, boosting developer productivity and focus
-
Shifted to a platform security strategy focused on Infrastructure-as-Code (IaC) hardening
-
Gained contextual visibility into applications so they are seen as part of a holistic attack surface
-
Instituted risk benchmarking to help clear 17,000 vulnerabilities in one month
-
Reduced the average remediation time to seven days
