AI-Native ASPM
Case Study
5 min read

Scaling Security with Context at Demandbase

Boost takes Demandbase from "Compliance Noise" to a 10x Improvement in Security Posture.
Industry
B2B SaaS
Repositories
2,000
Developers
500

"Our security posture meaningfully increased by 10x because developers actually fix things with Boost. I can guarantee that wouldn't happen with other tools."

— Daphne Yang, Staff Technical Product Manager, Demandbase
On this Page
Contents
The Problem
The Boost Solution
How it works
The Result
Why switch to ASPM
Download
Demandbase
Case Study PDF
Download PDF
001 / The Problem

Compliance-Based Scanning & The Never-Ending Backlog

For the security team at Demandbase, legacy scanning looked more like a box-ticking exercise than a proactive defense. While they used Veracode to meet SOC2 and ISO requirements, the platform suffered from a 95-99% false positive rate.

Noisy tools led to inaction. The security team lacked confidence in the results, so they couldn't justify blocking builds. Developers didn't trust results either, making them unlikely to understand or improve the security of their own coding practices.

With trust lacking in security findings, the backlog grew over time instead of shrinking.

We had a scanner, but we weren't doing enough about it. Our CSO realized that if we didn't stop the bleeding, we simply couldn't catch up.
002 / The Boost solution

ASPM-Driven Prioritization & Policy Control

Demandbase needed a way to move beyond AppSec scanning tools and toward a proactive, defensible ASPM strategy. To make the leap, they evaluated several options, including GitLab Ultimate, but found that the bundled tools and policies lacked the granularity required for their security program. They chose the Boost Security ASPM Platform because it provided the "intelligence layer" needed to prioritize risk in a smart, tailored way.

Key Boost capabilities that made the decision easy:

003 / How it works

The "Living Rollout" & Developer Experience

Transitioning security at Demandbase involved scaling across2,000 repositories and 500 developers. Yang implemented a "living rollout" strategy designed to minimize friction while maximizing impact.

The PR-First Workflow.The "defining factor" for success, in Yang's estimation, was Boost's inline PR comments. By delivering straightforward, actionable feedback directly in GitLab, security became part of the developer's existing discussion instead of an external hurdle imposed in a separate workflow.

The comments don't have a lot of fluff. The content itself is actionable and easy to find.

Phased Migration.Yang's team ran Boost in "silent mode" for several weeks to gather data and tune policies. This allowed them to understand (and educate developers about) what would have been blocked before actually enforcing the guardrail. This transparency transformed the relationship between security and engineering, allowing devs to stop feeling like security was "breaking things" and instead building loops that improved quality and security.

10x
Measured improvement in security posture relative to legacy scanning tools, validated during budget review with the General Counsel.
004 / The result

10x Posture Improvement & "Healthy Repos"

One year after migrating to Boost, the security program at Demandbase has shifted from reactive compliance-based maintenance to automated security oversight.

Massive Remediation Velocity

In a single two-week period, the team recorded 530 verified fixes, a volume of activity that was impossible under the old legacy model.

Drastic MTTR Reduction

For high-end, critical vulnerabilities, the Mean Time to Response dropped to under 48 hours.

Defensible Security Spending

Yang successfully defended the platform by proving security posture had improved 10x relative to legacy scanning tools.

Healthy Repos

Demandbase now tracks a strategic "Healthy Repo" metric, identifying repositories with zero unaddressed high-risk vulnerabilities over 30 days.
005 / Why switch to an ASPM?

ASPM: Strategy Beyond the Scan

Scanners can find bugs. ASPM Platforms can govern development. For Demandbase, shifting to an ASPM meant being able to implement security controls at scale.

Noise Suppression

The Boost Security ASPM Platform uses environmental context and multiple native-built scanners to prioritize reachable, material threats while suppressing false positives.

Centralized Control

Boost enables a single security owner to enforce global guardrails across thousands of repositories without manual pipeline edits or developer intervention.

Shift Further Left

Most tools "shift left" by moving scan results to the PR. The Boost ASPM Platform moves shift left even further by leveraging Model Context Protocol (MCP) to funnel security standards directly into the IDE to prevent vulnerabilities at the moment of inception.
Download
Demandbase
Case Study PDF
Download PDF
< Back to All Case Studies

Stay ahead of the threat.

Get the latest security research, pipeline attack analysis, and Boost product updates delivered to your inbox.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Get started

Ready to scale your AppSec program?

See how Boost can consolidate your security stack, automate visibility across every repository, and give your team the control it deserves.

Schedule a Demo →Download this case study

The AI-Native SDLC Defense Platform. Securing the code, the agent, and the endpoint - before commit.

hello@boostsecurity.io

Montreal, Canada

Platform
Developer EndpointSupply Chain SecurityAI-Native ASPMBagel CLIBoost Labs
Company
AboutCareersBlogPress & MediaContact
Developers
DocumentationGitHubBagel on GitHubAPI ReferenceBoost MCP

© 2026 BoostSecurity Inc. All rights reserved.

Privacy PolicyTerms of Service