Software First Companies Trust Cycode
See how our customers leverage the Cycode platform to build and deliver secure applications.
Solaris Improves Application Security Posture and Developer Alignment with Cycode
Summary
Solaris, an embedded finance platform based in Germany, faced challenges to improve application security and meet regulatory requirements while maintaining high developer efficiency. Their fragmented tooling, composed of multiple commercial and open-source scanners, was difficult to maintain and fraught with false positives. These technical limitations made it impossible to implement effective application security controls and earn developer adoption.
Solaris needed a more effective, scalable, and developer-friendly solution that could operate on-premises, align with its diverse development languages and technology stack, and support security processes and policies without compromising development velocity.
By partnering with Cycode, Solaris was able to consolidate its security tooling, reduce false positives, and implement contextual, risk-based guardrails within its CI/CD pipelines. In parallel with developer education and enablement efforts, this shift not only elevated developer adoption but also allowed security to become a shared responsibility across teams, leading to improved security posture, board-level visibility into risk, and a stronger DevSecOps culture.
Key Outcomes
- 99.4% SLA compliance for critical vulnerabilities
- Reduced MTTR for high-risk issues by 61%
- Improved compliance posture by 76%
- Reduced time to triage by 98.7% from 3.1 days to <60 mins
- 46% of high-risk violations auto-remediated
- Reduced developer feedback loop time by 66%
About Solaris
Solaris is a German technology company with a full banking license delivering Europe’s leading embedded finance platform. Its Banking-as-a-Service Platform enables businesses to access and integrate financial services solutions, such as digital banking, payments, cards, identification, and lending services, directly in their products via APIs.
The Challenge
Operating within one of Europe’s most highly regulated industries, Solaris faced pressure to ensure that its applications met the highest standards of security and compliance. The company’s previous approach to application security was built around a homegrown tool called “MetaScan” which cobbled together open-source and commercial scanners for SCA, SAST, IaC, and container security.While MetaScan offered initial visibility, it lacked cohesion, had coverage gaps, and was difficult to manage. MetaScan was architected by a previous team and was complex to maintain. It also had a high false-positive and false-negative rate. As a result:
- Developers were frustrated and disengaged, often ignoring alerts entirely
- Efforts to enforce security thresholds and gate CI pipelines were ineffective due to high-volume and low-fidelity alerts
- Blanket policies and a lack of risk-based prioritization leveraging application context led to urgent responses to low-risk issues while higher-risk violations persisted
- SLAs became meaningless due to unrealistic policies, alert fatigue, and mistrust
With security perceived as an obstacle, Solaris struggled with cultural alignment. Developers lacked buy-in on security processes, critical issues were overlooked, and compliance teams struggled to communicate meaningful risk metrics to regulators and the management board.
Solaris required a solution to consolidate its fragmented tools into a unified platform and embed security controls into the development process with accurate feedback and risk-based prioritization. Their initial requirements included on-premises deployment. The solution also had to support a wide range of programming languages and seamlessly integrate with their CI/CD pipelines and tech stack. Furthermore, they needed the ability to tailor policies for different application profiles and leverage business and technical context to focus remediation efforts on true-positive risks. Finally, it was essential that the technology aligned with people and process efforts to support DevSecOps practices and foster collaboration between developers, security, and engineering leaders.
The Cycode Solution
After evaluating several vendors, Solaris selected Cycode as the foundational technology for its application security program. Cycode stood out for its breadth of capabilities, support for flexible deployments with EU data residency, and seamless integration across Solaris’ diverse tech stack. The platform offered a unified approach to SAST, SCA, IaC, secrets scanning, and container security, all integrated into a single platform and easily embedded into existing CI/CD processes.
The initial deployment was not without hurdles. The internal environment and on-premise deployment required troubleshooting and infrastructure adjustments. Furthermore, while developers disliked MetaScan, they were hesitant to adopt a new tool and process. However, with Cycode’s partnership, Solaris was able to implement effective security guardrails in its CI pipelines and gain unified visibility into its risk posture. After two years using Cycode on-prem, Solaris migrated to a SaaS deployment, enabled in large part by the trust they had gained in Cycode. This step has contributed to tapping into the full potential of Cycode’s capabilities.
“Solaris and Cycode have grown and matured together, and it’s been a great experience. What I value most is the strength of our partnership. The Cycode team listens, understands our goals, and is deeply invested in helping us succeed. Their responsiveness and ability to adapt and evolve with us have made a real difference. I’d choose Cycode again without hesitation.” - Kimberly Mattheys, Head of Application Security and DevSecOps at Solaris
While never perfect, Cycode continues to rise to the challenge to deliver the technical capabilities to support the needs of Solaris’ developers and their secure SDLC processes. Solaris has pushed Cycode to further reduce false positives, improve contextual risk prioritization, and support tailored policies and controls for different applications. In parallel with security awareness and enablement programs, these technical capabilities have improved buy-in as developers get relevant security feedback in their workflows and begin to see how Cycode violations map to real risks in production. This has helped Solaris shift security from an afterthought to an embedded practice.
The Results
Since deploying Cycode, Solaris has experienced a meaningful transformation in its application security maturity and organizational alignment. By replacing its legacy and fragmented MetaScan tooling with a single, integrated platform, Solaris reduced the complexity and noise that had plagued its DevSecOps workflows. Security controls are embedded into the CI/CD pipeline, and what was once a passive system of warnings is now a proactive set of guardrails that provide feedback on non-compliant builds without disrupting innovation. With risk-based contextual alerting and custom policies, developer adoption and trust continue to improve, leading to stronger engagement and faster resolution of true-positive and risky vulnerabilities.
From a governance and compliance perspective, Cycode’s risk scoring system has become a key component in Solaris’ reporting to its management board. Executives now have a clearer understanding of the organization’s risk posture, and compliance processes have improved across the board. Security is no longer just a technical challenge; it is a strategic initiative supported at every level of the business.
“Cycode has transformed how we view and communicate application security risk at the executive level. The platform translates complex technical data into clear risk scores and compliance metrics that are easily understood by our senior leadership. This level of visibility has improved our ability to prioritize efforts, demonstrate progress, and make data-driven decisions with confidence. It’s not just about better security posture. It’s about aligning security with business strategy in a way that resonates across the organization and supports regulatory compliance.” - Nuno Teodoro, VP of Cybersecurity at Solaris
The partnership between Solaris and Cycode continues to evolve. The teams work closely on roadmap alignment, feature feedback, and continuous improvement. Integration with Cycode has also become a core requirement as the team evaluates tangential solutions for cloud security and vulnerability management.
See how Cycode can improve your Application Security Posture and Developer Experience. Learn more at www.Cycode.com