Enterprise Education Leader Scales API Security Testing Across 600+ Repositories

A leading provider of educational technology solutions serving students and institutions nationwide, found itself at a crossroads that many growing tech companies face. Their development teams were moving fast—really fast—but their security practices weren’t keeping up.

With over 600 repositories spread across multiple development teams and a sprawling API landscape that included everything from legacy REST services to modern microservices, their security team was struggling to keep pace. They had the challenge that so many AppSec teams know all too well: how do you secure an API attack surface that’s expanding faster than you can even map it?

The team was also looking for something that could integrate seamlessly with their CI/CD platforms and make it easier to hand off vulnerabilities to developers for quick remediation, without becoming a bottleneck that slowed down their development velocity.

Choosing a Solution

When they started evaluating dynamic application security testing (DAST) tools, they had some specific requirements in mind. They needed something that could handle their complex authentication scenarios, discover APIs they didn’t even know existed, and integrate smoothly into their existing development workflows.

StackHawk stood out for several key reasons that directly addressed their pain points:

API Discovery: One of the biggest wins for the company was StackHawk’s API Discovery feature. “API Discovery has helped us discover legacy REST services and internal services that may not be tested regularly,” says the Director of Enterprise Architecture. Instead of manually hunting through repositories and trying to map their API landscape—a process that can take organizations months or even years—StackHawk’s source code-based approach gave them visibility into their attack surface almost immediately.

Flexible Authentication: The company’s APIs handle sensitive educational data, which means robust authentication is non-negotiable. StackHawk’s configurable authentication capabilities meant they could test their APIs the way they actually run in production, not just scan public endpoints that don’t reflect real-world usage patterns.

Team-Centric Organization: With 600+ repositories across multiple teams, they needed a way to organize their security testing that matched how their developers actually work. StackHawk’s ability to associate repositories with specific teams and view repository information by team made it easy for different development groups to take ownership of their security testing.

Developer-Friendly Integration: The team appreciated StackHawk’s integration with various CI/CD platforms, allowing them to embed security testing early in their development pipeline. Plus, the seamless integration with existing tools like JIRA allows vulnerabilities to be handed off to developers for remediation without requiring them to learn new tools or change their workflows.

Runtime Testing That Finds Real Issues: Unlike static analysis tools that can miss business logic flaws and authorization issues, StackHawk’s approach to testing running applications meant they could find vulnerabilities that actually matter—the ones that could be exploited in production.

Experience with StackHawk

Dramatic Performance Improvements: One of the most immediate wins was in testing efficiency. “We’ve been able to scan 15-20 microservices in less than 15 minutes,” notes the Director of Enterprise Architecture. They used to have over 500 endpoints lumped together, but breaking them down into specific sub-sections of their APIs helped them pinpoint problems quickly and get their runtime down to under 15 minutes.

Better Visibility, Better Security: The improved visibility has been life-changing. Through authenticated scans, they’re discovering high-critical vulnerabilities that were previously hidden. The CodeQL integration has been particularly valuable, helping them connect the dots across their massive repository base and correlate static and dynamic testing results.

Self-Sufficient Teams: Their development teams have become self-sufficient in setting up new services for testing with StackHawk. This shift from security being a bottleneck to security being something individual teams can handle themselves has been crucial for maintaining their development velocity while improving their security posture.

Process Maturity: They’ve implemented dev and stage checks with notifications after deployment, creating a well-established process for managing new application releases to production. The team has even started using labels on their GitHub repositories to better categorize and track their different projects—a small change that’s made a big difference in organizing their large repository base.

Actionable Intelligence: The continuous visibility into their security testing program means security teams can see at a glance what’s tested, how often, and what needs attention. No more guesswork about coverage or wondering if vulnerabilities are actually getting fixed.

The transformation reflects what happens when security tools are built with developers in mind. Instead of security being something that happens to development teams, it’s become something they own and control, with the oversight and visibility that the security team needs to ensure nothing falls through the cracks.