Share
When Mubasher Chaudhary joined SoSafe as an Application Security Engineer, he knew that building a scalable Application Security (AppSec) program meant more than just scanning code. It meant embedding security into the way developers actually worked without slowing them down.
SoSafe, based in Cologne, Germany, is a leading provider of security awareness training and human risk management solutions. By leveraging behavioral science, human-centered design, and adaptive AI, SoSafe delivers engaging, personalized learning experiences and smart attack simulations that turn employees into their strongest allies against online threats. Their platform is designed to foster secure behavior across organizations, making security awareness both effective and scalable.
Behind the scenes, SoSafe’s engineering team manages an ever-expanding codebase across both production and internal platform services. As that footprint grew, the security team faced mounting pressure to scale code reviews, reduce noise, and enable developers to ship fast, without sacrificing security.
Too many tools, not enough insight
Before adopting Semgrep, SoSafe’s security program was challenged by disconnected workflows and inconsistent scan outputs. Investigating a single issue often required navigating multiple systems and sources of information.
“Details lacked depth, the remediations weren’t actionable, and understanding a single alert meant jumping between scan reports and multiple dashboards,” Mubasher recalls. “We weren’t just looking for better alerts, we needed a simpler, more developer-aligned experience.”
The team also grappled with high false positive rates, limited visibility into which issues truly mattered, and a lack of automation to scale effectively.
Evaluating new options
When Semgrep’s team reached out, Mubasher had already heard about the tool from peers in the industry. They launched a proof of concept (PoC), bringing developers into the process early. What immediately stood out:
Clear, actionable findings with PR comments
Managed scanning for automatic onboarding of new repositories
Supply chain scanning with reachability analysis and EPSS scoring to reduce false positives
AI-powered triage to prioritize what actually matters
One by one, Semgrep quickly began resolving long-standing pain points across the AppSec lifecycle.
Quick wins, measurable gains
Semgrep was quickly rolled out across SoSafe’s engineering teams—nearly half of their key projects onboarded in the first week, and onboarded all repositories efficiently within two weeks. Scan times dropped significantly, transforming the developer experience from friction and delays to speed and clarity.
“Now, developers see exactly what the issue is, right in the pull request. They know what to fix and why without switching tools,” noted Mubasher Chaudhary.
SoSafe even automated SBOM (Software Bill of Materials) exports for audit readiness and began integrating Semgrep data with their broader security observability tooling.
Building a security culture from the inside
SoSafe’s Product Security Working Group brings together product and engineering leaders to align on priorities and embed security across teams. Mubasher’s team doesn't work in isolation, they partner with developers directly to co-own outcomes.
“We treat engineers as partners, not just stakeholders. Semgrep helps us meet them where they are.”
Semgrep is now a core part of that security culture, powering pull request scans, automating triage, and fueling cross-functional collaboration.
Looking ahead
With strong early momentum, SoSafe is continuing to build for scale. Key focus areas include:
Bulk SBOM downloads to streamline compliance workflows (e.g. EU Cyber Resilience Act)
More flexible Jira integration, including the ability to unlink tickets and define policies
Deeper visibility, and insights by feeding Semgrep data into their existing monitoring and analytics tools.
A new standard for developer-centric security
For SoSafe, success means enabling developers to take charge of security without friction and Semgrep has become central to that vision. To Mubasher, real success is measured by how easily developers can take charge of security. With Semgrep, that goal is being realized:
“With Semgrep, we’ve not only cut scan times dramatically, we’ve also built a more automated, scalable AppSec program that meets our developers where they work.” - Mubasher Chaudhary, Application Security Engineer, SoSafe
About
Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.
