AWS re:Invent 2025 - How Cathay Transformed DevSecOps with AI: A 75% Faster Security Story (SEC202)

Transforming DevOps to DevSecOps: Cathay Pacific's Journey with AI-Powered Security

Challenges and Motivations

• Cathay Pacific faced significant challenges with their DevOps practices, including:

  • 78% of vulnerabilities identified were false positives, leading to thousands of hours of wasted time
  • Lack of clear roles and responsibilities for security remediation
  • Delays in time-to-market due to security issues found late in the development cycle
  • Difficulty consolidating and prioritizing vulnerabilities across multiple security tools

• These issues were impacting Cathay's ability to innovate and deliver new features quickly, while also exposing the organization to potential security risks.

Shifting Left with DevSecOps

• Cathay recognized the need to shift from a traditional DevOps approach to a DevSecOps model, embedding security practices throughout the software development lifecycle.
• Key changes included:
  • Shifting security testing and scanning "left" to the earlier stages of development
  • Automating security testing and vulnerability management within the CI/CD pipeline
  • Fostering a culture shift to make security everyone's responsibility, not just the security team's

Security Champions Program

• Cathay launched a multi-level Security Champions program to build security expertise and ownership within the application teams:

  • Level 1: Application-level security champions to drive early remediation of vulnerabilities
  • Level 2: Verification and decision-making on false positives and exceptions
  • Level 3: Strategic security leaders to guide long-term security direction and emerging threats

• The program included both classroom training and hands-on, real-world application security work to develop practical skills.

AI-Powered DevSecOps with Agentic AI

• To address the significant manual effort required to manage false positives and vulnerability exceptions, Cathay developed an Agentic AI solution:
  • The AI agents can automatically classify vulnerabilities as true positives or false positives, based on a knowledge base of past decisions and company policies.
  • The agents can then directly interact with security tools to suppress false positives, reducing the manual review process from 45 days to just 13 days.

Results and Business Impact

• Cathay achieved significant improvements through their DevSecOps transformation:

  • 50% reduction in remediation costs compared to fixing issues late in the development cycle
  • 75% reduction in detection and fix time for critical and high-severity vulnerabilities
  • 40% reduction in developer burnout from manual security tasks
  • 7 times less likelihood of failed changes with the DevSecOps approach

• The combination of cultural change, security automation, and AI-powered vulnerability management enabled Cathay to significantly improve their security posture and time-to-market, while reducing costs and developer overhead.

Lessons Learned

• Culture change is critical - security must be embraced as everyone's responsibility, not just the security team's.
• Tooling requires customization and integration to be effective - out-of-the-box security tools often need significant tuning and automation.
• Automation, especially with AI/ML, can dramatically reduce the manual effort required for security tasks like false positive management.
• A phased, iterative approach with clear goals and measurement is key to driving a successful DevSecOps transformation.