S2E3: Conducting the AppSec Symphony: From Noise to ASPM Harmony

‍

Transcript

Dan: Hello and welcome to another episode of AppSec Serialized, the podcast about web security and those who practice it. Today, as always, I am joined by my co-host Ryan.

Ryan: What’s going on everyone? It’s good to be back.

Dan: And we have a very, very special guest today. Joining us is Cenk Kalpakoğlu, and he is going to be speaking with us as the founder of Kondukto, a company that, as of just about two months ago, almost to the day, was acquired by Invicti. We are really looking forward to his presence. So Cenk, when you started Kondukto, it was a while ago, right? When did you originally found the company?

Cenk: Actually, we were one of the early movers in this space. We released our first-ever version in January 2020, just before COVID happened.

Dan: Nice. So you’ve been cooking this in the lab for a while. When you started ASPM, Application Security Posture Management, it probably wasn’t yet an industry term. You didn’t set out to fill a particular segment but to solve a problem. You’re a guy who knows a lot about security and had the background to do it. If you went back to the earlier days, how would you describe what the mission of the company was before anyone had any idea what an ASPM is?

Cenk: Just like many security solutions, we started to develop this to solve our own issues. Earlier, I was working as an AppSec consultant, and my main motivation was to develop a tool – it wasn’t a product back then – that helped me provide better or easier consulting services. The mission wasn’t to build a startup. It was to serve more customers in our consultancy company in a better, quicker, and more efficient way. I see a pattern in many other security companies where a tool created from a need becomes a product or vendor later on.

When we started, ASPM wasn’t a thing. The industry didn’t even exist. The closest concept was ASTO, Application Security Testing Orchestration, which focused on automating and orchestrating SAST, DAST, and SCA tools. Back then, the main industry focus was coverage and automation, not posture management. However, from the Kondukto perspective, we always had a broader vision, even if we didn’t realize it yet. These industry names usually come later, often defined by Gartner or other advisory firms. After ASTO, Gartner experimented with ASOC, Application Security Orchestration and Correlation, adding the correlation piece. But correlation was fuzzy – everyone had slightly different meanings – and eventually it became ASPM. The funny thing is that Gartner was heavily betting on ASOC and told us they wouldn’t change the name. One year later, we had ASPM.

So my question to you guys: when you were engaging with Invicti customers before the Kondukto acquisition, what was the common pattern from an integration perspective? How did you approach that?

Ryan: Yeah, I can definitely take that one, Cenk. First of all, it’s great to have you on the podcast and within Invicti. I’ve really been excited these last few months, seeing the evolution of ASPM. As you mentioned, it’s changing and developing rapidly. From a customer standpoint, Invicti has always been a leader in integrations – over 50 out-of-the-box. We broke them into categories: issue tracking, CI/CD, project management, and privileged access management for form authentication. The main goal is scale. Organizations want to build trust between developers and security.

When we talk integrations, the priority is giving the most accurate results into issue trackers – good findings with zero to low false positives. With proof-based scanning, we can do that. We push results into JIRA, ServiceNow, Azure DevOps. That’s a big first step for getting security into the development lifecycle.

The cool thing is the integrations are bi-directional. Developers can fix issues, mark them done, and a webhook triggers a retest. It’s a great usability feature. In CI/CD, it can be hard to get security into builds, but advanced development teams increasingly trigger scans directly from pipelines. Before the Kondukto acquisition, we brought in an integration with Mend, experimenting with taking in vulnerabilities from SAST, SCA, and container scans. That gave us insight into correlation – linking confirmed DAST findings to SAST lines of code – and hinted at the future: ASPM as a full posture view, not just orchestration.

So flipping it back to you, Cenk – how many integrations do you have, and what are the most popular categories?

Cenk: We realized early that integrations are critical for an ASPM platform. Our goal was to connect everything to provide better decision-making. We even developed an internal toolkit to semi-automate integration logic – this was before AI-assisted coding. It helped us move fast. Back then, we could build an integration in under two weeks. That capability drove our strategy. We hit more than 120 integrations quickly. But the real value isn’t in the number – it’s in depth.

Dan: That’s really true. What customers use often changes with scale. Do you see patterns – like smaller SMBs using open source tools and enterprises using best of breed?

Cenk: Absolutely. There’s a pattern, but it’s shaped more by security maturity, team structure, industry regulation, and culture than by size. Early on, enterprises were hesitant to use open source, but that’s changed dramatically. Our vision was always to cover both ends: highly engineered, customizable solutions for mature teams, and more automated, autopilot approaches for SMBs. For example, we help customers create DevSecOps pipelines that automate scanners, processes, and workflows. For big enterprises, our goal is seamless integration into existing stacks – minimal disruption, maximum cooperation. And from a popularity standpoint, SAST tools used to dominate, but with containerization and Kubernetes, image scanners are becoming more popular each day.

Ryan: As startups and companies evolve, new security products constantly appear, which challenges integration coverage. We can’t build them all immediately, but your tool supports custom integrations. How did that come about?

Cenk: While working with big enterprises, we saw that mature teams often build their own scanners. We needed a way to handle those. So we created custom integrations that accept JSON or other parsable inputs and map them to known fields. It works across all security categories, allowing organizations to bring in their own tools or modified versions. Interestingly, some open-source solutions started this way – as internal tools that later gained community adoption. Now, enterprises are even using AI internally to validate or improve outputs or use as triggers. More customization is definitely on the horizon.

I have one question for you: since Invicti now has its own internal ASPM, how are we using it within our SDLC?

Dan: Good question. As engineers, we care about real results, not performative security. We’ve moved our processes earlier in the lifecycle – security checks run inside CI/CD pipelines. That way, issues surface early, not during release or from customers. It’s faster and cheaper to fix. We use best-of-breed tools and, of course, our own for DAST and API testing. But managing many tools can be painful. We aim to centralize everything with a common interface and reduce friction.

Integration with developer tools is key. Findings flow directly into our issue tracking projects. Invicti ASPM’s strong CI/CD integration is valuable – it lets pipelines communicate with ASPM servers to trigger scans and check posture automatically. Cenk’s team also built great documentation with recipes to help embed these checks right after commits or pushes. Fixing flaws early means fewer meetings and smoother releases.

Ryan: You don’t want customers scanning and sending you reports and yelling at you? I thought that’s what everyone wants. Just kidding.

Dan: It’s orders of magnitude faster, cheaper, and better to fix early. Speaking of early – Cenk, as a founder, what’s one of your favorite memories from the startup days before the acquisition?

Cenk: That’s a tough one. One major milestone was landing our first international customer during COVID. We started with a small team and local clients, then suddenly closed a deal in the US without ever meeting in person. It felt surreal. I remember calling my co-founder, Can, to say it was done. We even had a company event afterward, which became a regular tradition. It was our first major validation moment.

Ryan: That’s huge – they saw enough value and trust without meeting in person. It shows the strength of the solution.

Cenk: Exactly. It was important for several reasons: it was our first international deal, in the US market, during COVID, when everything was changing. Definitely one of our biggest milestones.

Dan: Excellent. Thanks to everyone who contributed to this episode. Cenk, wonderful to have you on. Ryan, as always, great talking. And thanks to those behind the scenes who make it happen. Most of all, thank you to our listeners. This has been another episode of AppSec Serialized.

Credits

• Discussion: Dan Murphy & Ryan Bergquist
• Special guest: Cenk Kalpakoğlu
• Production, music, editing: Zbigniew Banach
• Marketing support and promotion: Alexa Rogers