DefectDojo was born out of the frustration of dealing with unscalable cybersecurity tools, inspiring Greg Andreson and his team to create a solution that simplifies vulnerability management.
In an interview with
Website Planet, Andreson shared how what started as an open-source project has evolved into a powerful DevSecOps orchestration platform, integrating with over 195 security tools to streamline security workflows. By leveraging automation, deduplication, and machine learning, DefectDojo helps security teams reduce alert fatigue and focus on real threats.
With its commitment to open-source, DefectDojo continues to make robust cybersecurity accessible to organizations of all sizes.
What inspired the creation of DefectDojo, and how has it evolved to become a leading platform in DevSecOps orchestration and vulnerability management?
What became DefectDojo was born out of very real frustration with cybersecurity tools and solutions. About a decade ago, I was interning for Matt Tesauro (now our CTO). Watching Matt & the team trying to protect an entire cloud was insane due to the challenges of effectively corralling tools and data to remediate the vulnerabilities found by our security testing. The task was impossible because of the state of application security (AppSec) as a whole, to the point where I told him, “If you give me the chance, I could write a tool to fix all of this.”
At the time, I had one professional programming project under my belt, but we still saw a problem: security’s inability to scale effectively.
We started with an open-source platform that we still support today and which has built a robust community over time of 400+ active contributors and 38M+ downloads. DefectDojo has been successful because of our focus on building a platform that addresses security professionals’ very real pain points, like alert fatigue or tool overlap. We remain the only open-source solution in the ASPM space.
Can you explain how DefectDojo integrates with over 195+ security tools to provide a unified and scalable solution for security teams?
DefectDojo integrates with such a large number of security tools because professionals need to use a vast arsenal of security tools: one Gartner report found that large enterprises use 45 tools on average. These integrations allow the platform to ingest data smoothly into one centralized location to automatically consolidate duplicates, eliminate false positives, and identify vulnerability trends with the highest precision. This flexibility also means users can customize it for their specific needs.
Late last year, we announced the Universal Parser for DefectDojo Pro. The parser can support any and all security tools that produce JSON or XML data, the two most common data types in ASPM, making Dojo Pro even more flexible. On top of that, the parser allows you to adapt to tool changes immediately, preventing integrations from breaking and ensuring that teams always have a complete picture from all their tools. You can even customize the individual mappings when utilizing DefectDojo’s Universal Parser.
How does DefectDojo’s deduplication feature enhance the efficiency of vulnerability tracking and remediation processes?
Deduplication sounds simple in theory but is hard to execute well. We’ve been working to perfect it over the past decade. Trying to do it manually runs the risk of users simply missing some of the duplicates—as humans, we aren’t good with repetitive data—and it takes a huge amount of time and effort, up to 60% of a security professional’s time overall.
In the current landscape, deduplication has become even more necessary due to the sheer number of findings security teams must address on a regular basis. Companies are now averaging 500+ endpoint security alerts that need investigation per week. Professionals are having difficulty keeping up: 98% of leaders in one survey admitted to working extra hours each week.
At DefectDojo, we’ve found that machine learning is particularly effective. The algorithms used by our platform go beyond simple string matching to better identify duplicate findings from different tools and learn from human feedback to improve over time. This includes better classification of alerts, meaning the algorithm is more likely to surface findings that are actual threats instead of false positives. When 63% of cyber teams are spending over 4 hours weekly just on false positives, the DefectDojo platform helps save a lot of time and capacity for higher-level tasks.
Could you share a success story where DefectDojo significantly improved a client’s security posture and DevSecOps pipeline?
A few years ago, DefectDojo was called in to help Pearson improve the efficacy of its security team. They were so bogged down that the 12-person team had only completed 44 security assessments in the past year for a global organization of more than 40,000 people. Their team had the talent, but DefectDojo made the team scalable.
Our platform became their centralized command center, ingesting data from different tools, automating low-level tasks, and assisting in reporting and metrics monitoring. With our platform, Pearson’s team was able to achieve an 840% increase in efficiency, scanning and protecting over 400 applications per year just two years later. These increases came even as Pearson’s team shrank due to attrition; due to how DefectDojo transformed their work, the team decided they didn’t need backfills for those roles, saving Pearson a significant amount of money.
What role does automation play in DefectDojo’s platform, and how does it empower security teams to focus on strategic initiatives?
At DefectDojo, our mission is to help security teams efficiently scale their AppSec, vulnerability management, and ASPM efforts. As part of this mission, our automation processes can help take over repetitive, labor-intensive tasks, like deduplication efforts. With the saved time and resources, a team can turn their attention to higher-level strategic thinking and problem-solving.
We’ve just pushed automation a step further on the Dojo Pro platform with our recently-announced Rules Engine (available in early access). With the engine, teams can create rules to automatically manipulate, edit, enhance, add custom remediation advice, escalate, or de-escalate specific findings, enabling security teams to better prioritize major issues or further enhance findings from their security tools without significant human intervention or manual effort.
Previously, to take these kinds of actions, professionals would write their own custom programs or perform multiple API calls for every scan they processed—at a high time cost. With this new feature, cybersecurity teams can surface the most pressing findings with as few actions as possible, giving them more time to remediate or address those findings.
How does DefectDojo support open-source software, and what benefits does this bring to the broader security community?
DefectDojo started as an open-source project, and we continue to support our Community Edition.
Both Matt Tesauro and I are involved with the OWASP (Open Worldwide Application Security Project) Foundation and have benefited from the resources and tools it makes available. Making DefectDojo open source was a good way to help give back. Furthermore, we believe that good cybersecurity should not be a luxury reserved for companies that have the biggest budgets.
In fact, almost half of all data breaches affect companies with fewer than 1,000 employees. On top of this, it is expensive to suffer a data breach. The Identity Theft Resource Center reported that the percentage of small businesses reporting losses of over $500,000 due to identity crime more than doubled between the 2023 and 2024 reports. These businesses have access to sensitive information just like their larger counterparts—I’ve had my data compromised even as a cybersecurity professional!
Supporting open-source cybersecurity makes cybersecurity more accessible—and helps protect everyone from cybercrime.
Find out more at:
www.defectdojo.com
