Software First Companies Trust Cycode
See how our customers leverage the Cycode platform to build and deliver secure applications.
StoneX Consolidates Security Visibility and Drives Maturity with Cycode
About StoneX
StoneX is a Fortune 100 financial services firm with over 1,000 developers working across more than 50 product teams and approximately 8,000 code repositories. While StoneX had security tooling, it was fragmented across a massive environment. Without a unifying layer, answering a question as basic as how many vulnerabilities an application had meant manually querying multiple platforms and reconciling the results.
The security team partnered with Cycode to unify its security tooling, establish a gamified Security Champions program, and gain more visibility in 48 hours than they'd managed to build in the years before.
The Challenge
Before Cycode, StoneX utilized a variety of commercial and open-source scanners, but they operated in silos. The Application Security team had to manually consolidate data from four different source code management platforms and five different scanning tools just to understand the risk of a single application. Furthermore, scanners were inconsistently triggered, which meant feedback was not received until late in the development cycle.“If you wanted to answer something as simple as how many vulnerabilities does application X have, you needed to go to two, three, four, five different tools and consolidate all of that,” said Cássio Batista Pereira, Application Security Evangelist at StoneX. “ We needed something to bring all this information together and orchestrate all those scanners.
Key pain points included:
- Lack of Correlation: There was no automated way to link results from SAST (Static), SCA (Software Composition), and DAST (Dynamic) scanners.
- Operational Inefficiency: Determining the total number of vulnerabilities in a product or the risk posture of a business unit required manual consolidation and analysis.
- Orchestration Gaps: Scanners were not triggered consistently during the developer workflow, such as at the pull request stage.
TheSolution
StoneX sought a platform solution that could consolidate and orchestrate their security tooling with native scanners that matched or exceeded the tools they were replacing. After a structured evaluation of several vendors, StoneX selected Cycode due to the combination of platform capabilities and its superior native scanning capabilities.
Evaluation Criteria:
- Consolidation: The ability to bring all security data into a "single pane of glass."
- Orchestration: Automating when scans are triggered to provide immediate feedback to developers.
- Context Intelligence: Using a graph-based approach to query data across the entire organization (for example, finding every project using a specific vulnerable library version in seconds).
The Results
Connecting Cycode to StoneX's SCMs, integrating the third-party DAST scanner, and linking to the Active Directory took roughly a day. Within two days, the security team had unified visibility across all 8,000 repositories. "The speed of impact was staggering,” said Pereira. “In 48 hours, we had a more complete view of our risk posture than we had managed to build in the previous years."
Beyond visibility, Cycode helps StoneX shift from managing alerts to partnering with developers to fix critical risks that matter. Cycode's risk scoring and business-impact flags gave security a framework for prioritization, and the policy engine lets them enforce that logic directly in the developer workflow.
The success of the developer partnership is anchored in a Global Security Champions program. Champions progress through a belt-based program starting with coverage (White Belt) and advancing through training and risk-hardening milestones to ultimately achieve and maintain low-risk applications (Black Belt) with Cycode as a key part of how they track and accelerate progress.
“Cycode is essential to making technical requirements achievable for our security champions,” said Pereira. “It makes it easy to establish scanning coverage and turns a complex security journey into a visible, trackable path to excellence.”
Key Outcomes:
- Risk-Based Prioritization: Instead of chasing thousands of low-risk alerts, the team now uses Cycode's risk scoring to prioritize critical issues in high-business-impact applications, such as payment systems.
- The "Security Champions" Program: StoneX launched a maturity model using "belt levels" (White to Black belt). Champions progress by meeting specific goals (such as scanning applications, reducing risk scores by 20%, and achieving low-risk-score targets) with Cycode playing a key role in how they achieve and track progress.
- Developer Empowerment: By using Cycode’s policy engine to warn or block non-compliant pull requests, developers receive immediate feedback, allowing them to fix issues before they ever reach production.
- Rapid Incident Response: Using the Context Intelligence Graph, the team can query the entire environment to identify exposure to new threats in a matter of seconds.
Conclusion: From Obstacle to Enabler By partnering with Cycode, StoneX has fundamentally matured its security program. The platform has advanced the security team away from a manual and reactive model toward a proactive, data-driven culture where security is integrated into the fabric of engineering and aligned with business objectives. With Cycode, StoneX hasn't just consolidated its tools. It has built a scalable engine for continuous security improvement.