Application security is integral to the success of People.ai, and only becoming more important as the organization sought to unlock new business opportunities with a Microsoft 365 certification and following the new ISO 42001 standard. But they found their existing application security platform (Snyk) was not helping them achieve outcomes related to developer experience and compliance because of:

• Excessive False Positives and Manual Triage: The tool generated a large number of false positives because it couldn’t reliably understand whether the code was actually running, connected, or being used. The team (including security and software engineers) spent significant time manually triaging these findings, most of which turned out to be irrelevant because the dependencies weren’t used in their applications. This led to wasted effort on vulnerabilities that posed no actual risk.
• Impact on Developer Experience and Velocity: Developers experienced friction and disruptions to their workflow, with the tool often blocking Pull Requests (PRs) for issues that were later downgraded or found to be non-actionable. And because the tool couldn’t be trusted, there was frequent debate between developers and security about whether a vulnerability was really a risk.
• Limited Codebase and Language Coverage: The prior solution lacked the capability to scan 100% of their codebase because it didn’t offer full language support.‍
• Evolving Generative AI Risks: The rise of generative AI fundamentally reshaped their risk landscape, introducing new threats like "shadow AI" where employees might use unapproved AI tools. The incumbent tool wasn’t designed to handle these new types of risks or the increasing amount of code being generated by AI assistants.

People.ai’s security team ran a competitive evaluation to find an AppSec platform that could deliver on four key requirements:

• High Accuracy and Trust: They needed findings to be accurate and reliable so that they could stop manually triaging and use it to strategically block builds. To get there, the team wanted to see deep context on each finding. For example, the new tool had to understand if a library was actually running, connected, or being used rather than just being present in a package.
• Full Coverage and CI Integration: The platform had to support all their coding languages so they could achieve 100% scanning coverage of their code repositories. And because they care about automation and catching risk early, the tool had to integrate smoothly into the CI/CD pipeline.
• Modern, Flexible Architecture: They looked for a solution built with modern, generative AI architectures in mind, one that was flexible enough to adapt to their all-cloud, all-SaaS, geographically distributed environment and future pivots.
• Strong Partnership and Customer Success: PeopleAI prioritized vendors who were receptive to feedback, leaned into their vision for scaling, and were willing to partner on feature development.

Why Endor Labs Won

People.ai chose Endor Labs’ entire suite of application security tools because:

• Reachability-Based Prioritization: Endor Labs showed which vulnerabilities were actually exploitable in PeopleAI’s code, reducing false positives dramatically.
• Developer-Centric Approach: Designed for modern workflows it has intuitive APIs, easy CI integration, and actionable reporting.
• Modern Architecture and AI Security Leadership: From embedding scanning within AI code assistants to using agents to parse PRs, Endor Labs is showing what it means to build an AI AppSec platform.

Strong Partnership and Responsiveness: PeopleAI was impressed by the ease of implementing the platform, the outstanding customer success team, and the organization’s readiness to act upon feedback.