How ITS Inc. modernized a 15-year-old SaaS platform and achieved zero Critical/High vulnerabilities in production with Arnica's developer-native AppSec.

How ITS Inc. modernized a 15-year-old SaaS platform, adopted AI-driven development, and made Critical and High severity vulnerabilities a non-issue, all with Arnica embedded in every code change.

• ‍0 Critical / High vulnerabilities in production
  Goal achieved & sustained ‍
• 2-person Teams tackling major features
  Smaller teams, bigger output ‍
• 1 tool SCA · SAST · IaC · Secrets unified
  One integration, full coverage

About ITS Inc.

ITS Inc. is a training and workforce development SaaS company with more than 15 years of platform history. When Brad Young joined as VP of Technology two years ago, he inherited a mature codebase carrying the weight of that history: some technical debt, accumulated security risk, and a development process that hadn’t necessarily kept up pace with the speed modern teams demand.

Brad took on one of the harder roles in software: sole owner of engineering, QA, and DevSecOps at a growing SaaS company, responsible for charting a path from a legacy monolith toward a modern, AI-ready platform, without stopping the business to get there.

The transformation he launched is a case study in building from the beginning: working with smaller teams, enabling faster cycles, and ensuring security is native to developer workflows and AI tools from the start.

THE CHALLENGE

Security as background noise

The problem

At ITS, the story was a similar one we hear across teams of all sizes and scopes: security scanning was inconsistent. Results came back in different formats, from different tools, at different points in the process (if they came back at all). Over time, findings became background noise. Developers learned to ignore alerts rather than act on them.

Critical and High severity vulnerabilities were making to production not because the team was careless, but because the signal was buried in so much friction and noise.

The pressure

A platform modernization was already underway to break down a monolith into smaller focused services, containerizing infrastructure, and reducing attack surface. Each step opened new vectors that needed to be scanned: IaC files, new container configs, secrets in code.

AI-assisted development (Claude Code) was accelerating output, which meant more code, written faster, by leaner teams, and the security review process couldn't keep up. Brad's goal on day one: Never release a Critical or High severity security issue to production. Sounds like a simple goal, but hard to enforce without the right workflow.

THE APPROACH

Security feedback at the moment code is written

The core insight was straightforward: security findings are cheapest to fix when a developer is still in context. Catching a vulnerability on every code push and in pull requests take minutes. Finding it in production can take days, and costs multiples in engineering time, customer risk, and remediation overhead.

• AI & Developer-native workflows

Arnica surfaces findings directly in the PR and on code push; developers see security feedback directly in Microsoft Teams and the same way they see code review comments with no context-switching and no separate dashboard to check.

• Consolidated scanning

One tool replaced multiple point solutions. SAST, SCA, infrastructure-as-code scanning, and secret/key detection, running from a single integration, producing consistent, actionable output.

• SLA enforcement by severity

Critical and High severity findings are blocked from merging until resolved. Medium and Low are flagged for visibility but don't interrupt velocity. Developers know exactly what must be fixed now vs. what can be tracked.

• Hardened container support

As ITS moved toward containerized infrastructure with hardened base images, Arnica's IaC scanning kept pace, catching misconfigurations before they reached any environment.

THE OUTCOME

Critical and High vulnerabilities SLA = N/A

Before Arnica, SLA violations were treated as just another part of the process. Now, the SLA for Critical and High vulnerabilities is 'N/A' – not because the findings don’t occur, but because the Critical and High risks are fixed before they ever reach production.  

100% developer adoption without the fight

Developer adoption is the failure mode of most security tooling. Teams ignore dashboards, mute alerts, and route around gates if the friction is high enough. At ITS, Arnica's PR-native approach meant the workflow matched how developers already worked, and Brad describes developer feedback as generally positive.  

AI TRANSFORMATION

How ITS made Claude Code work across the whole org

ITS's AI story did not start with technology. The transformation that made Claude Code adoption possible had already been underway for two years: breaking large teams into smaller, focused groups; establishing cleaner engineering practices; and building the infrastructure for faster, more confident releases.

When Brad began piloting Claude Code about a year ago, the groundwork was in place. By last summer, full rollout was underway company-wide. AI adoption spanned customer service, the leadership team, and of course, engineering.  

What changed with AI development

AI-assisted development changed the shape of work at ITS. Where teams once broke stories into horizontal slices with one engineer on the API and another on the UI, they now implement vertical slices end-to-end. A two-person team takes a feature from database to UI, with Claude Code handling the connective tissue.

This acceleration also raised the stakes on security. More code, written faster, by leaner teams, means more surface area to scan, and less capacity to manually review every output. Arnica's automated scanning became not just useful but load-bearing: a two-person team can't also be a dedicated security reviewer. Arnica does that work automatically.

Small teams, big output

The model Brad built at ITS is a preview of where engineering is heading: small, autonomous teams shipping complete features, with AI handling the implementation weight and automated tooling providing the guardrails.

In that model, every tool in the stack must pull its weight. A security tool that requires a dedicated reviewer, a separate login, or a weekly audit cycle doesn't fit. Arnica fits because it runs where the code runs: automatically in the PR, at merge time.

"Arnica has been a piece of allowing us to accelerate like that. As I've taken my team and split it up into smaller groups - some two-person teams tackling fairly big functionality - Arnica being part of it has been really successful for us."

— Brad Young, VP of Technology · ITS Inc.

THE BOTTOM LINE

Engineering transformation at ITS Inc.

Zero Critical or High vulnerabilities in production.

A 15-year-old SaaS platform modernized, AI-adopted, and secured, with a developer workflow that accelerates rather than blocks.

▸  Security goal achieved: Critical and High vulnerabilities no longer reach production.  

▸  Developer adoption: PR-native workflow means no new tools to learn or separate portals to check; security feedback arrives alongside code review.

▸  Consolidated coverage: SAST, IaC, SCA, and secret scanning unified under one integration, replacing multiple point solutions.

▸  AI-ready security: As Claude Code accelerated output, Arnica scaled with it, giving lean teams automated, AI-native security coverage that grows with their velocity.

▸  Transformation foundation: The shift-left security model was a prerequisite for successful AI adoption. Security embedded in the workflow made faster, smaller teams viable.

‍