Problem Statement

Users

Security operators who identify findings and engineering teams who implement fixes across government agency systems, including security leads, cloud engineers, DevSecOps practitioners, and application developers.

Use Case

When a security finding is identified, such as a misconfigured cloud resource, a non-compliant code pattern, or a vulnerable dependency, someone must interpret what the finding means, determine the correct fix within the specific codebase or infrastructure, and implement it through the standard development workflow.

Pain Point

Remediation sits at the boundary between two domains of expertise. Security teams can identify and contextualise findings but typically cannot modify the infrastructure or application code. Engineering teams can implement changes but may not understand the security implications well enough to determine the correct fix. Coordination between these teams loses context at each handoff, introduces delay, and produces inconsistent outcomes. In user research, vendor and engineering teams handle the majority of remediation but lack direct access to the security tooling where findings originate. Each finding requires its own interpretation-to-implementation cycle, and systems typically carry tens to hundreds of open findings.

Consequence

Findings remain open beyond their acceptable risk window. Remediation quality depends on whichever team carries the finding at the point of handoff rather than on a consistent standard. Backlogs grow faster than they are resolved, compliance posture degrades across reporting cycles, and the organisation cannot demonstrate timely response to identified risk.

User Research and Market Analysis

User Research

User research was conducted making use of user interviews with current users of CloudSCAPE, which are mainly security engineers. 6 of them were conducted as they were users we had previously engaged, and it would allow us to gain deeper insights.

• All of them pointed out that remediation had too many manual steps (understanding the finding, copying out the IaC remediation and then fitting it to the context of their project, and then getting developers to come up with a fix)
• 5 out of 6 of them pointed out that the volume of findings they need to face is quite large, especially if they are assigned to look after multiple projects, which is the case for some of our users
• There is also no medium or platform that allows users to link a finding to its fix clearly

De-risking

The assumptions we have made with our feature is that:

• Gap in expertise: Security engineers that can interpret the findings are not
  • This was something which we had validated through our interviews

Stakeholder Buy-in

We have gotten buy-ins from a couple of agencies including BCA, MTI and MOE based on some of our initial engagements and they are keen to explore our solution.

There is buy-in from CSG management as well for us to work on this solution as well.

Solutioning

Problem-Solution Fit

AI agents will help along various processes of the remediation process, with the main work done by the remediation agent that automatically generates a fix to the IaC repository that is ready to be reviewed and deployed.

Functionality

• User logs into CloudSCAPE (on Console)
• They will select the findings that they wish to remediate
• They will enter their IaC repository name for that finding and the branch they want to branch out from
• They will then click remediate for our agent to generate fixes for the selected findings
• Developers on the team can then adjust the fixes where necessary and deploy them to resolve the findings

User Experience

We ensure that the tracking of fixes on the platform requires minimal switching:

• Generating the fix can be done entirely on the CloudSCAPE platform
• Fixes can be tracked on with a dedicated page on CloudSCAPE
• MRs come within detailed comments on the fixes applied or why certain fixes were not able to be generated

User Validation

(No user testing on the prototype has been done yet, will fill this section once done)

Impact & Next Steps

Success Metrics

• Mean time to remediate for non-compliances: A decrease in this number would validate that our platform is effective in helping address findings in a shorter remediation cycle
• Volume of findings decreases: With more fixes being addressed quickly, overall findings should fall overall with respect to the number of systems present

Expected Impact

We plan to get a pilot of about 6-8 users to deeply engage on their experience before rolling the feature out to more agencies. The goal will be to reduce the number of non-compliant findings that aren't suppressed by 20-30%.