From Complex Authentication to Confident Coverage: How Applied Systems Transformed Their AppSec with Escape
In a recent webinar on "From Business Logic Vulnerabilities to Actionable Insights: AI-powered Pentesting + ASM in Action," Andrew Orr Erwing, Manager of Security Engineering (AppSec) at Applied Systems, shared his team's journey in modernizing their application security approach.
For organizations that have grown rapidly through acquisitions, application security can become a labyrinth of complexity. Applied Systems found themselves facing this exact challenge—a sprawling tech infrastructure with intricate authentication processes that traditional security tools simply couldn't handle effectively.
The Challenge: When One Size Doesn't Fit All
Applied Systems needed a DAST solution that could navigate their unique landscape. As Andrew explains:
"We're an organization that has been around in tech for a while, but we've grown massively through acquisition and one of the reasons and drivers we sort of pushed to Escape: we have a complex authentication process, which in particular requires single threaded scanning with authentication, as well as a complex application page in itself."
The team evaluated multiple vendors, but most couldn't rise to the challenge during proof-of-concept testing. That's when Escape entered the picture:
"And we engaged with Escape and a few other vendors, and Escape took the challenge on and managed to do it in the POC, and that was something that we were like, yeah, we're going to partner with these guys. "
Breaking Through the Authentication Barrier
What set Escape apart wasn't just the willingness to tackle a difficult problem—it was the execution. "Escape took the challenge on and managed to do it in the POC," Andrew recalls. "You guys bent over backwards, managed to create this custom authentication, which you've now gone live with for everyone."
This custom authentication solution not only solved Applied Systems' immediate problem but became a feature available to the entire Escape user community—a testament to product development driven by real-world customer needs.
The Underrated Power of Visual Validation
For Andrew's team, one feature stood out as transformative yet often overlooked in the industry: screenshot captures.
"A lot of these tools just reproduce and give you the API endpoints and you're like, 'OK, I need to go validate this with a team for coverage,'" Andrew explains. "That can be really slow getting teams' input on that sort of thing."
With Escape, the process became dramatically simpler. "I've got the credentials, I can log in, I'll go click on all the screens, and I can go to the scan logs and check, 'OK, your crawler is seeing every single page.'" This visibility allowed the security team to configure and improve coverage without constant back-and-forth with development teams.
Less Noise, More Signal
One of the most significant improvements Andrew noticed was in the quality and relevance of findings. "The findings are a lot more reduced, there's a lot less noise," he notes. "What I like as well is the findings are typically a lot more complex, which is a good sign for us—not very basic."
The AI-powered validation added another layer of efficiency. "The team will see a screenshot for [XSS vulnerabilities] and the validation is already pretty much half done."
Steps to Reproduce That Actually Help
Perhaps most frustrating about legacy scanning tools is their inadequate guidance for remediation. "A lot of these tools we find just churn out 'this is how you replicate it,' and it's an XSS finding, and they give virtually nothing," Andrew observes.
Escape's AI-powered remediation changed that equation.
"It gives a good remediation process and steps to reproduce, which makes our team 10 times more efficient for validating vulnerabilities. We've been pretty lucky that the validation has been pretty solid so far, and that's a great thing to say."
Smart Deduplication: Protecting Teams from Alert Fatigue
When integrating with Jira for ticketing workflows, deduplication became critical. "We don't want to raise duplicate tickets for our devs to go address and create more noise," Andrew emphasizes.
Escape's intelligent deduplication system maps URLs and credentials to validate where vulnerabilities originate. "If it's not a new page or a new screen, it won't create a duplicate alert," Andrew confirms. This approach strikes the crucial balance between reducing noise and ensuring distinct vulnerabilities aren't incorrectly collapsed together.
Partnership at Speed
Beyond the technical capabilities, what impressed Andrew was the responsiveness of the Escape team. When Applied Systems encountered a complex CAPTCHA challenge, the team's reaction time was remarkable. "Antoine and his team managed to sort that in about half a day," Andrew shares. "We sent it to him and he was like, 'have a look at it now.' And I was like, 'oh, that works.'"
This level of partnership and rapid iteration cycle made all the difference in deployment success.
The Bottom Line
For security leaders navigating complex, acquisition-driven infrastructure landscapes, Andrew's experience offers clear lessons:
- Custom authentication shouldn't be a deal-breaker—the right partner will find a solution
- Visual validation features dramatically accelerate coverage verification and team collaboration
- AI-powered context in findings and remediation guidance multiplies team efficiency
- Smart deduplication is essential for maintaining developer trust and ticket system hygiene
- Responsive partnership matters as much as product capabilities
If you want to see Andrew's testimonial live, you can watch the full webinar here.
Ready to see AI-powered pentesting & DAST in action?
Schedule a personalized demo to discover how Escape can handle your organization's unique authentication challenges and reduce security noise by up to 10x.
Want to discover more case studies? Check out the following articles