Semgrep
GitHub
Snyk
Endor Labs
Wiz
Scaling to 40+ Teams in Two Quarters
Hagerty chose StackHawk for its strong documentation, flexibility across environments, developer-friendly design, and ability to simulate real attacks without blocking pipelines.
But when John Mercer, DevOps Security Engineer at Hagerty, decided it was time to scale StackHawk across more than 40 developer teams, he faced a common organizational challenge. How do you get leadership and dev buy-in, secure resources, and make sure everyone is up to speed about a new product, all in the course of two quarters?
Like most companies, Hagerty’s Security team is small compared to its Engineering team.
“It’s a challenge when Security is only 7 or 8 percent of your whole IT budget, and you are asking them to do something.”
This is something we hear time and time again at StackHawk. It’s why we emphasize that shifting AppSec left requires distributed ownership. In John’s words,
“One person can’t go through 20, 30, 40, 100 teams… You have to distribute it.”
As Hagerty’s Customer Success Manager here at StackHawk, I had a front-row seat to the rollout. John’s approach was genuinely impressive, and I knew other customers could learn from it. John and I sat down for a conversation, and these are the lessons I came away with.
AppSec at Scale Is a Coordination Effort
“The trouble isn’t really technical… It’s bureaucratic. It’s a project management problem.”
I asked John why he chose to roll out to 40 teams at once, rather than implement one team at a time. His answer was very direct:
“Because that approach could take literally five years. Why not knock it out all at once and make it a company-wide standard? ”
John leveraged Hagerty’s “awesome project managers,” who prioritized the StackHawk work, assigned deadlines, and fit implementation into an upcoming sprint. As John put it,
“The real challenge wasn’t technical, and it wasn’t the devs. It’s an easy product to implement. It was a project management problem.”
Once he had the project managers on board, things moved quickly. Not every customer has a dedicated project management team, but in many cases, all it takes is one person willing to own the implementation and prioritize it.
Leadership Alignment is Necessary but Not Sufficient Alone
One thing that became clear throughout Hagerty’s rollout is that leadership alignment, while important, isn’t the hardest part. In John’s experience, getting buy-in at the CIO or CISO level was relatively straightforward. Leadership at Hagerty understands how important AppSec is.
Where things became more complex was in translating that priority into actual work across teams. Even with clear top-down direction, the real effort was in scheduling, prioritizing, and completing the work within existing sprint cycles. The challenge wasn’t convincing people of the importance; it was operationalizing it.
Pattern-Based Rollouts Work
Before rolling StackHawk out to the entire Hagerty organization, John did a deep dive into our product, set up and configured initial scans, and then optimized them. I teased him that, at this point, he is such a StackHawk SME that he could be on our payroll.
That upfront investment made it easy to take the approach we often recommend to larger organizations: templatize and repeat. In John’s own words,
“Once there’s a pattern, you can simply copy it with very little additional work needed.”
Specifically, he did upfront work across multiple stacks (.NET, Python, Node) and then reused it for a comprehensive yet scalable approach.
Communicate the Value to Developers
John focused on communicating the value of StackHawk in a way that would resonate with developers and address their concerns up front.
“I always led with ‘StackHawk mimics a real-world attack.’ Then I reassured them that I will never block them with StackHawk. It’ll only add like five minutes to their pipeline, and then they’re covered. They were good with that.”
Leverage Existing Goodwill
At Hagerty, Security and Engineering have a strong working relationship, and that wasn’t accidental. It’s been an intentional, mindful choice grounded in mutual trust and respect. As John said,
“We’ve worked hard to build good relationships with engineers. They know we’re not adversarial.”
That trust paid off during the rollout. Engineers gave the work the benefit of the doubt because they had reason to.
AppSec at Scale, Without the Bottleneck
Over roughly two quarters, Hagerty rolled StackHawk out across more than 40 teams without turning security into a bottleneck. The technical pieces (easy implementation, dev-friendly pipeline integration, strong documentation, scans that mimic real attacks) gave John a foundation he could trust. From there, the work that mattered was operational: focusing on repeatable patterns, clear communication, and distributed ownership, they were able to scale AppSec in a way that actually worked for engineers.
As John put it,
“You have a great tool. You’ve got great documentation. It’s very clear how to implement it in different environments. It’s very flexible for all kinds of different scenarios or use cases.”
Once StackHawk reached developers’ hands, adoption followed quickly.
For organizations looking to do the same, the takeaway is simple: treat AppSec scale as a coordination effort. Build the pattern, communicate the value, and make it easy for teams to run with it. Read the full customer success story.
