Why Moveworks Chose depthfirst to Secure Production

Moveworks: AI Assistant for the World’s Most Demanding Customers

Moveworks is an AI Assistant platform used by employees at hundreds of enterprises. They work with 10% of the Fortune 50 and 10% of the Fortune 500 companies, as well as tech leaders like GitHub, Snowflake, and Databricks. This means their security and engineering teams face stringent requirements from some of the world’s most demanding customers.

The Challenge: A Noisy Scanner Eroding Trust and Slowing Shipping Velocity

Like many software companies that ship code quickly, Moveworks used a code scanner to help secure their code without compromising on velocity. At least, that’s what it was supposed to do.

In reality, it did neither. It buried developers and security engineers in false positives and gave developers nonactionable remediation advice. Security was spending too much time triaging alerts that didn’t matter, and developers were losing hours going back and forth on vague findings instead of shipping product. Security needed to focus on real vulnerabilities, and developers needed something that would tell them how to remediate problems, instead of forcing them to figure it out from scratch.

Over time, that friction added up and Moveworks decided to take action. Security struggled to trust the scanner’s output because of the constant noise, and developers began to see security reviews as a tax on their productivity rather than a partner in shipping safer code, making it clear they needed a different approach to code security.

The Evaluation: Running a Proof of Concept with depthfirst

That’s when Hassan Ali, Head of Application Security at Moveworks, started looking for a new solution. As a security expert, he knew the ultimate goal of any security program is to find and remediate as many true vulnerabilities as possible, and that a code scanner alone would inevitably miss important ones. So instead of only considering scanners, he expanded the search to a full security platform.

That’s when Hassan came across depthfirst and decided to put it through a Proof of Concept: a two-week sprint where depthfirst ran on Moveworks’ main repo. Hassan evaluated depthfirst on:

1. Volume and severity or complexity of vulnerabilities found
2. Volume of false positives
3. Breadth of coverage across the stack

On coverage, depthfirst excelled by analyzing Moveworks’ applications, dependencies, containers, and infrastructure. However, where it really stood out was in the balance between vulnerabilities found and false positives flagged. This tradeoff is one that security leaders have largely had to accept until now.

Tight detection criteria can reduce false positives, but they also cause tools to miss real vulnerabilities. Looser, more sensitive criteria might find more issues, but usually create an unmanageable number of false positives that all look like critical vulnerabilities.

depthfirst delivered in the POC because it performed exceptionally well on both sides of the tradeoff. It identified complex vulnerabilities that had gone undetected while raising an order of magnitude fewer findings than the team was used to seeing. depthfirst also provided a report of potential alerts it marked as false positives, with explanations for each decision, giving the security team confidence that coverage was thorough even when alerts were suppressed.

This outstanding signal-to-noise ratio, combined with broad coverage, convinced Hassan that depthfirst was the right partner to help secure Moveworks.

The Solution: depthfirst’s General Security Intelligence

depthfirst’s General Security Intelligence is an AI security platform that analyzes a company’s entire codebase, infrastructure, and business logic to understand how it is supposed to operate. This deep context allows it to detect complex vulnerabilities that point solutions and rule-based scanners typically miss and recommend fixes that actually work.

Fast implementation

Implementing General Security Intelligence at Moveworks was lightweight. The team onboarded in about ten minutes by granting permissions to depthfirst’s GitHub app and connecting their artifact repository. No long rollout projects or complex rule tuning required meant that Hassan’s team could start realizing value almost instantly.

How Moveworks uses depthfirst’s General Security Intelligence

Today, General Security Intelligence has become an integral part of Moveworks’ security program and developer workflows:

• It continuously analyzes code, dependencies and containers for vulnerabilities
• It reviews pull requests and surfaces security and code-quality issues before code is merged
• It provides concrete fixes for existing vulnerabilities and remediation suggestions that developers can apply directly in the pull request, including code changes and explanations

“depthfirst catches business logic issues because it uses LLM-based detection. For example, it can detect missing authorization or validation checks that rule-based SAST engines or other code detection engines just won’t pick up.” - Hassan Ali, Head of Application Security, Moveworks

The Results: Stronger Security, Less Friction for Developers

By moving to General Security Intelligence, Moveworks strengthened its security posture without slowing down engineering.

• Strengthened its security posture. Moveworks’ team has accepted more than 130 recommendations in a few weeks to remediate complex vulnerabilities surfaced by General Security Intelligence
• Reduced load for security. General Security Intelligence has made Moveworks’ security team more efficient by reducing the number of low-value alerts they have to review. Because so many recommendations are accepted (74% so far), security spends more time on real vulnerabilities instead of triage.
• Faster development cycles. General Security Intelligence helps Moveworks ship code faster by suggesting one-click fixes for existing vulnerabilities and acting as an AI security engineer on every pull request, providing specific code suggestions that shorten reviews, reduce back-and-forth with security and cut the average time to remediate issues. In the words of Moveworks’ demanding developers:

“This is really cool, it is detecting not just security issues, but code quality issues too. It is making me write better code.”- Moveworks developer

“I cannot believe it is actually picking up the PR description, correlating that with the code I changed, and putting two and two together to flag issues.” - Moveworks developer

A recent example of General Security Intelligence’s impact came when the Shai-Hulud 2.0 npm supply chain attack was disclosed (November 2025), a self-propagating campaign that compromised hundreds of npm packages and tens of thousands of GitHub repositories in order to steal developer credentials and other secrets. Because General Security Intelligence had visibility into Moveworks’ codebase and dependencies, it helped the team quickly verify that they were not affected, without a time-consuming manual audit across services and pipelines.