Why CleverTap Walked Away From Branded Big-4 Penetration Tests
Manual security processes are roadblocks that delay new features. You think paying more means you’re getting more. But often, you just get a longer report that delivers endless headaches & a frustrated development team.
Reality Check: Pentest reports might do you more harm than good
Growing fast is hard. Securing that growth without slowing down your team is even harder, especially when your app handles data from billions of users.
With billions of user events processed daily, there was no room for vague recommendations or heavy, manual security reviews.
They needed real security, integrated with how their engineering and product teams shipped software - fast.
CleverTap didn’t come to us because of a breach. They were already a high-performing team trusted by global brands.
But after working with a Big Four firm for penetration testing, they realised they didn’t need a longer report. They needed faster answers.
They weren’t looking for a checklist. They wanted security that could keep pace with how they build, release, and earn trust at scale.
CleverTap Snapshot
✔ Company: CleverTap
✔ Industry: AI-based MarTech
✔ Series D Valuation: $775 million
✔ Customers: Over 2000
✔ Tech: Shifted left to run security from its CICD pipelines without slowing down new feature development speed
✔ Developers: >500
The truth? Big customers means bigger expectations
Like most high-growth teams, CleverTap was under pressure from both sides. Enterprise customers demanded proof of security. Engineering teams needed room to build and ship.
And sales couldn’t afford to stall deals because of unanswered questionnaires or compliance delays.
They didn’t want another scanner that buried them in alerts or a checkbox exercise that just looked good on paper.
They wanted clear visibility, real-world findings, and real-time developer-ready fixes, and a way to prove to customers that their security program worked.
That’s when they started working with Cyber Chief.
Instead of letting security slow things down, they started to move faster.
They decided that the traditional, penetration test-focussed approach to application security wasn't serving them now. And would only hold them back in the future.
CleverTap didn’t want to bolt on security. They wanted it built into the way they already worked. Fast releases, strong QA, deep technical ownership.
They’d already tried other vendors for automation. Some were too shallow. Others buried the team in noise. This is in the words of the their Associate Director of Data Privacy, who is an experienced infosec professional:
I tried Qualys. It was a disaster. If I have to create detailed journeys and recordings for every feature, that’s just not scalable.
Cyber Chief changed that. The setup was under 10 minutes. The scans were deep. Every finding included clear steps to replicate, impact explained in context, and code-level remediation guidance.
When questions came up, CleverTap had direct access to experts who could work with their environment, not against it.
You’ve made it easy. A couple clicks, and it’s scanning. I didn’t expect it to be this smooth.
AppSec that gives dev teams better visibility & more control
Nobody at CleverTap wanted to add more work to already busy engineering sprints.
They just needed real visibility into security risks and a way to fix them without slowing down new features releases .
Their experience with big-name vendors left them with long reports but very little help in getting things fixed. The findings were often vague, hard to replicate, and disconnected from how their team actually operated.
This led to delays, missed context, and growing frustration across product and security leads.
Cyber Chief changed that by delivering developer-ready scans that included clear replication steps, impact summaries, and exact remediation paths, all integrated directly with tools like GitHub and Jira.
And when something wasn’t clear, support didn’t mean booking a call or waiting for a reply. CleverTap’s engineers could drop a message into the shared Slack channel and get answers from our security experts in real time, right inside their existing workflow.
I am super happy with our collaboration so far. The quality is great, especially compared to other vendors we were using. We are talking the same language.
1 question that screams "your AppSec is inadquate"
Cyber Chief didn’t ask CleverTap to change their systems. We expedited features on our roadmap at their request and met them where they were.
That shift moved them away from one-off scans and disconnected remediation. Now they had continuous visibility across APIs, containers, and cloud environments, and a way to act on it without second-guessing.
The risk isn’t just about breaches, it’s about losing deals, eroding trust, or failing to meet customer expectations. If you’re scaling fast and wondering when to “get serious” about security, here’s your answer:
If your customers are asking you for a security report, you’re already behind.
With Cyber Chief powering their security workflows, CleverTap now showcases their security maturity through a live trust portal.
Instead of scrambling for screenshots and PDFs during enterprise due diligence, their prospects are proactively given access to real-time evidence that security is being handled properly - during the sales process.
How Audacix Rebooted CleverTap’s Security Philosophy
With Cyber Chief DevSecOps capability, CleverTap's development team became more self-reliant in managing their application security.
This strengthened their overall security posture without having to hire as many new, expensive security experts.
One of the noteworthy results was that CleverTap no longer had to enquire or guess what needed to be done next. In essence, their application security had been put on autopilot.
But the capability that the CleverTap team really appreciated was the "On-Demand Security Coaching" where Audacix’s security coaches helped the MarTech AI innovator’s development team fix security vulnerabilities in hours, instead of weeks.
Plus, CleverTap’s ability to chase larger enterprise clients was boosted by their ability to include our Certificate of Application Security provided by Audacix as part of their investor pitches.
This Certificate proves that CleverTap was a company where the security of funds, data and IP was the bedrock of everything they are building.
This reboot was made possible by CleverTap buying into Audacix's MAP (Modern AppSec Paradigm) which helps them build a culture of security rather than wasting money on random, disconnected security efforts.
Audacix's Modern AppSec Paradigm (MAP)
✔ 1. Integrated: AppSec runs from CICD
✔ 2. Autonomous: Nobody needs to click a button
✔ 3. Support: for developers when they need it
✔ 4. Depth: periodic, enhanced manual pentests
✔ 5. Champions: that help propogate the culture
You don’t need another 60-page PDF of “we found some stuff”
Top SaaS engineering leaders chase 4 powerful outcomes:
X-ray vision - see what’s actually fragile in your stack before your customer, your auditor, or your CEO asks.
A kill switch - something that says “fix this now” and means it. Not a red circle buried on slide 47.
Steering power - so security doesn’t stall your next release, hijack sprint planning, or trigger a game of “Who’s owning this?”
Show receipts - the kind that prove you're not winging security when a prospect drops a procurement questionnaire that reads like a CSI episode.
Because here’s the thing no one tells you - you don’t need more findings, just more control & fewer surprises.
⭐⭐⭐⭐⭐They have excellent catches for vulnerabilities on our platform, but what is more important they are always available to discuss potential fixes, taking into account our business requirements.