About Aquanow
Aquanow is a global B2B fintech company that provides institutional-grade cryptocurrency trading solutions and other digital asset management solutions. Its clients include financial institutions, neo-banks, and institutions seeking to strengthen their presence in digital asset markets.
Dhaval Tailor, an Infrastructure Security Engineer at Aquanow, works within the DevSecOps and Engineering teams. His responsibilities encompass application and cloud security, CI/CD pipeline security, data protection, IT governance, and regulatory compliance.
The Challenge
Prior to adopting StepSecurity, Aquanow had identified fast emerging risks and aimed to further enhance visibility into their CI/CD pipelines, particularly during runtime. Although they had implemented various static analysis tools, they sought to better address the challenge of identifying anomalous behavior that only becomes apparent during pipeline execution, thereby reinforcing defenses against potential supply chain security risks.
With Aquanow’s continuous growth risk areas further intensifies and introduces:
- Increased CI/CD complexity
- A surge in network and package dependencies
- Potential risks related to unmasked secrets during builds
- Extended execution times
Aquanow required real-time runtime monitoring of CI/CD workflows, with visibility into key areas such as:
- Network activity during job execution
- Behavior of untrusted packages or GitHub Actions
- Use of plaintext secrets or credentials at runtime
“Without StepSecurity, we had no visibility into unmasked secrets or API keys used by untrusted packages during pipeline execution.”
- Dhaval Tailor, Infrastructure Security Engineer at Aquanow
They had also evaluated other open-source solutions, but those lacked essential enterprise features such as:
- Centralized GUI-based management
- Secure agent rollout at scale
- Real-time exception handling
- Logging and runtime observability
Why StepSecurity
After the Aquanow team conducted proofs of concept with several other tools, StepSecurity distinguished itself with its comprehensive feature set and enterprise-level readiness.
Key reasons for choosing StepSecurity:
- Centralized rollout: Easily deploy the security agent across multiple GitHub repositories.
- Governance & control: Manage policies and visibility centrally via a GUI.
- Runtime observability: Investigate which process triggered a suspicious event.
- Rapid exception handling: Instantly unblock developers via an easy-to-use exception system.
- Domain/IP control: Enforce granular allow/block rules for outbound connections.
“StepSecurity checks all of these boxes. It is fairly easy to roll out to organization wide through GUI and easy to maintain afterwards. The key thing that we were impressed with is the ability to investigate the process events to identify what process is triggering the events. Not only that, but we also liked their exceptions management capability to unblock developer in a matter of minutes when they get blocked by StepSecurity rules. I think these two capabilities distinguished them well from others.”
- Dhaval Tailor, Infrastructure Security Engineer at Aquanow
Features That Made the Difference
- Runtime Activity Monitoring: Unparalleled insight into CI/CD behavior—who called what, when, and why.
- Centralized Agent Management: Deploy the agent across all or selected repositories with minimal effort.
- GUI-Based Governance: Security teams can approve exceptions, monitor pipelines, and enforce policy—all in one place.
Impact & Results
Following the implementation of StepSecurity, Aquanow achieved notable advancements:
- Improved incident response with real-time alerts, which reduced Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR).
- Proactive mitigation of risks from recent real-world incidents, such as the Shai Hulud NPM and s1ngularity AI-driven attacks, utilizing cooldown features.
- Significant time savings for security engineers, who no longer need to manually investigate suspicious actions, as insights are centralized in the StepSecurity dashboard.
- Enhanced runtime visibility through continuous monitoring of workflows, enabling real-time threat detection.
“StepSecurity has become a vital part of Aquanow’s CI/CD security strategy. It provides real-time visibility into workflow execution, detects suspicious behavior, and enforces best practices—from secret management to outbound network control—making our pipelines significantly more secure and resilient”
- Dhaval Tailor, Infrastructure Security Engineer at Aquanow
.png)
