CASE STUDY | Industry
AI-powered contact centers

Cresta Reduces Vulnerability Numbers by >99% with Oligo Security

2017
FOUNDED
200
EMPLOYEES
70
DEVELOPERS
Palo Alto, CA
HQ LOCATION
“We were able to reduce our vulnerability numbers over 99% by limiting our focus to those with an executed vulnerable function with Oligo.”
Robert Kugler
Robert Kugler
Head of Security & Compliance

The Challenge

Building Security (and Security Culture) At Scale Fast

When Robert Kugler became Cresta’s first security hire in 2021, his priorities focused on driving immediate security gains. “It was important to get stuff done really fast — you want to set up basic processes and procedures that enable the business to move faster, then start slowly to instill some security culture.”

About a year after taking the security reins at Cresta, Robert (now Head of Security & Compliance) was feeling frustrated with the state of existing products designed to check for vulnerabilities in open source libraries. “All the SCA products in the market are very expensive and nearly useless — they’re the most hated tools in security because it’s just too much noise.”

What’s more, Robert says the number of findings generated by SCA tools could generate confusion and unrealistic expectations from auditors and key stakeholders. “Every security leader has a problem today where dependencies are a nightmare full of vulnerability findings, while most auditors don’t understand how complex — even impossible — it is to have zero vulnerabilities,” he said.

Robert worried that these challenges could lead to misalignments with Cresta’s engineering teams, with approximately 70 developers. “There’s a security misconception that you need to just patch everything, regardless of if it is relevant or not,” he said. “That makes you an enemy of the engineering team.”

“The engineers’ job is to generate ARR by working on features, not doing validation work for the security team,” he explained. “If you dump a giant amount of work on your colleagues all day but you never even validate all the stuff you’re dumping on someone else’s plate, you don’t create a loving relationship.”

The Oligo Solution

When Robert first encountered Oligo Security, he said he found its unique approach “refreshing” right from the start.


“Oligo’s founders have a very valuable idea, and they have the technical background to execute on it,” he said. “When you’re a CISO you see a lot of demos for products that are basically pie charts that give you more ‘visibility’ and look like they should be used by an MBA, not a security leader, but Oligo is very different. It is a real engineering solution to a hard problem.”

Soon after watching Oligo in action, Robert knew he wanted it for his own teams. “Oligo is super useful because it enables teams to get prioritization right and focus on things that truly matter — not just fixing whatever the tool spits out.”

Rather than computing a risk score algorithmically, Oligo’s unique, patented eBPF innovations give organizations like Cresta an unprecedented look into exactly which libraries and functions are executed at runtime — so that instead of guessing what’s exploitable, every stakeholder can see the proof they need to know whether a vulnerability is a real danger or not.

“Oligo makes it easy to see whether something is really executed or not, whether you truly use the function or not, and that’s the level of granularity you need to base your prioritization decisions on facts, not feelings,” Robert said. “No other product works like Oligo – other eBPF solutions that try to do the same thing are built by people who don’t understand the problem at the same deep level, who can’t get into the libraries and individual functions to understand that not every finding is a real vulnerability. There is no one else in the market who does this the right way, other than Oligo.”

Deploying with Oligo was surprising, Robert said, because the company was unusually responsive to customer requests and ideas.

“When I talk to Oligo about requests for product improvements, I often see it in the product the very next week — or I see an extremely detailed MVP. That’s the level Oligo works at with its customers, and that’s very rare. Usually you get lots of promises until you sign a contract, but this is what sets Oligo apart: it truly cares about customers and doing the right thing. The founders started the company with this mindset, and they’ve hired people who share it with them.”

Results & Benefits

For Robert, Oligo’s biggest initial benefits came from the unique ability to filter security findings — including those found by other vulnerability scanners — to show only the ones with executed vulnerable functions.


“Dependabot and Snyk results can look like a disaster – tons of vulnerabilities, all are critical, the world is ending,” he said. “Oligo does the same exercise, but you can filter for executed libraries and executed vulnerable functions. We were able to reduce our vulnerability numbers over 99% by limiting our focus to those with an executed vulnerable function with Oligo.”

By dramatically reducing the number of vulnerability fixes “dumped” on the engineering team, Robert said he’s been able to create an organization-wide security culture at Cresta that could otherwise have been impossible.

“Engineers don’t hate security work,” he explained. “They hate stupid work that is dumped on them because no one in security is doing the validation to see whether a problem is real. Now the AppSec team can take care of vulnerabilities as an escalation case, where we go through the legwork to draft the PR ourselves. It’s a mentality change where the security team can really start to own its work.”

As relationships between engineering and security warmed, Robert said he’s seen unique and promising indicators of an organization-wide security culture developing.

“Last week our engineers spontaneously decided to implement two-factor authentication in a single two-day hackathon project,” he said. “They came up with the idea entirely on their own, and those are the moments you realize you truly made an impact — the security culture led to those cool events and drove change in the engineering department, because they understand they’re part of an extended security team.”

Why Oligo?

For Robert, the difference between Oligo and other tools on the market is clear. “This is the single security tool we have that is actually saving resources and not wasting them,” he said.

“In this industry, a lot of money is wasted, and a lot of tools don’t actually solve problems. Other companies show all these critical red dashboards — we all know there’s no shortage of problems, but we want solutions, not just visibility into the problems.”


Robert also found the “really, genuinely customer-obsessed” culture at Oligo to be a key differentiator from other solutions. “You can give them feedback and the next week it’s in theproduct. This is a strange, crazy thing to get used to. Usually with security companies you give feedback and then it’s ‘on the roadmap,’ but it’s deprioritized or never materializes. I’ve never had this kind of experience before.”

Robert said he’s excited about the next steps Oligo is taking to keep applications secure. “I was excited even about version 1.0, but what’s coming next is revolutionary,” he explained. “Right now Oligo can help with prioritization, but now the product has begun to detect actual compromises. Soon Oligo will be able to actually sandbox libraries, and that’s a really revolutionary idea: to have vulnerabilities that can’t be updated but can continue to be used because Oligo makes sure they can’t be exploited. Oligo changes the entire game, and gives us new mitigating controls that will pass an audit.”

When asked what he’d say to another company considering Oligo, Robert said, “Everyone should use Oligo because it’s important to be pragmatic. If you’re not using Oligo, you have bogus prioritization, with people spending time on the wrong things. That’s a tremendous waste, because they could be generating features. If you’re trying to get your vulnerability count to zero without validating those vulnerabilities, you’re destroying your business by taking up your engineers’ time with fixes.”

Robert saw Oligo’s focused results as especially important in an era of tightening security and development budgets. “We need to get out of a zero interest rate mentality where money was free,” he said. “There’s no budget to throw out the window as quickly as possible now. Oligo helps you to do the most things with the least resources. You get provable prioritization quickly, and narrow your problem to an extent that you can actually fix it.”

Zero in on what's exploitable

Oligo helps organizations focus on true exploitability, streamlining security processes without hindering developer productivity.