Challenge
Reliance on a collection of disconnected security tools, including AWS native tools, open-source scanners, and quarterly manual audits, created potential security blind spots across our cloud infrastructure;
Our previous CSPM solution triggered thousands of alerts to triage, and lacked a unified methodology to prioritize risks and communicate back to developers, resulting in alert fatigue and inefficiencies
Our focus on security by design and enabling a positive developer-first experience required the use of security controls that are low-noise, contextual, and embedded directly into existing SDLC workflows.
Solution
Postman deployed Wiz's unified code-to-cloud platform across its entire software lifecycle, from IDE to production runtime, providing the visibility needed to prioritize risks and build securely by design
The team built a real-time security posture dashboard in Wiz, to clearly demonstrate to customers how it manages risk, helping buyers assess security maturity, reduce perceived vendor risk, and move faster through procurement. This meant fewer questionnaires, better alignment between sales and security, and accelerated sales cycles.
By embedding security tooling directly into developer workflows, Postman transformed their culture from security as blocker to security as enabler
30 to 0
critical issues eliminated
92/100
security scorecard rating achieved
1/2 day
average questionnaire response time vs. 7-day SLA
Postman’s Critical Role in the Modern Developer Toolchain
Postman sits at the intersection of every developer-to-developer, developer-to-machine, and machine-to-machine interaction. Over the past decade, the company evolved from a local API client into a cloud-first collaboration platform that’s a critical part of the modern developer toolchain, used to design, build, test, and monitor APIs that often sit on the critical path of customers’ applications. Today, Postman serves 40 million developers and 98% of the Fortune 500.
With that growth came heightened responsibility. As Sam Chehab, Head of Security at Postman, explains, “I hold some of your most sensitive digital assets. Your secrets pass through my platform, and therefore, Postman needs to have a very high bar for what we would call enterprise security."
Chehab set an uncompromising standard for his team: Postman could not become the next cautionary tale in supply chain security, which meant the security team needed a fundamentally different approach.
From Reactive Monitoring to Proactive Protection
Postman's previous security infrastructure reflected a common challenge facing fast-growing technology companies: a collection of point solutions providing monitoring but not actionable insight. Quarterly manual audits filled the gaps, but the approach was fundamentally reactive.
The result was overwhelming noise. Security findings numbered in the thousands, but without cloud context or clear risk prioritization, the team struggled to separate genuine threats from low-priority issues. Yash Mehta, Senior Security Engineer at Postman, experienced this firsthand: "Prioritization was a key challenge because CSPM tools throw thousands of findings and you have to prioritize and triage them one by one."
Postman searched for a platform, not just another point tool. "Being able to jump into a problem in a couple of different ways and visualize that path fast was unparalleled compared to anybody else out there," recalled Chehab.
Mehta also looked to minimize friction for developers, who were already focused on building secure code. However, existing tools often surfaced issues only after a pull request was submitted, making it harder to address them earlier in the development process.
The team needed a solution that could provide genuine end-to-end visibility—connecting code changes to cloud deployments to runtime behavior—while shifting detection earlier in the development lifecycle, where fixes are simpler and cheaper.
Postman completed their initial Wiz deployment in just one to two hours using Terraform, with full onboarding wrapped within weeks. But the real validation came even faster.
Within 1.5 days of signing their contract, Wiz's threat research team identified a critical CVE in internal tooling that Postman believed had already been patched For Chehab, this discovery was definitive proof that Wiz could detect what other tools missed.
Shifting Left and Winning Developer Trust
Postman's long-term security transformation required cultural change: embedding security throughout the organization and at development inception.
Chehab articulated a clear philosophy: "Security’s job is to figure out how to get the hell out of the way." This meant shifting from manual staging reviews to a complete DevSecOps approach where security starts in the design phase.
Mehta and his team focused on making security tooling something developers would actively want to use. Instead of discovering vulnerabilities only after raising a pull request, with Wiz Code’s IDE extension, developers could identify and fix issues in their local environment before committing code.
Wiz’s unified platform makes risk visible early in the software lifecycle and actionable for both security and developer teams. By managing security policies centrally and enforcing them consistently in IDEs and pull requests, while still tailoring policies to specific projects and risk profiles, we can meet developers where they are. That’s reduced tension and improved collaboration between security and engineering.
Yash Mehta, Senior Security Engineer, Postman
Wiz’s code-to-cloud capabilities proved essential for Postman’s strategy to strengthen security everywhere, both by shifting earlier in development and extending into runtime. When a runtime alert fires, the security team can trace it back to the specific code change that introduced the risk—turning vague alerts into actionable tasks.
Security as a continuous business metric–not a quarterly report.
Chehab intentionally shifted his team’s focus away from traditional security metrics, like the number of findings closed or audits passed, and toward a clear business outcome: building customer confidence in Postman’s security posture to accelerate deals. That shift fundamentally changed how success was measured across security and engineering.
Instead of pointing prospects to static SOC 2 reports or entering weeks-long security questionnaire cycles, Chehab adopted a radically transparent approach. The answer wasn’t another document; it was a live CISO dashboard built on Wiz.
I have a CISO dashboard built that I use to look at the health of my entire production environment. That is the same dashboard that I pull up with customers for full transparency on what our cloud security posture looks like.
Sam Chehab, Head of Security, Postman
The dashboard exposes real-time security posture metrics, including a continuously updated scorecard (92/100), giving customers immediate visibility into how Postman secures its cloud and applications. When buyers ask about data handling or risk management, the team shows live posture, not point-in-time attestations.
Critically, this approach also redefined internal accountability. Security and development teams aren’t measured once per quarter against an audit checklist. They’re measured every day against the same posture customers see. Maintaining a strong score became a shared, continuous responsibility across teams, reinforcing secure-by-design behaviors throughout the year.
Security moved from a periodic compliance exercise to a living, customer-facing signal of trust, one that drives faster sales cycles and higher internal security standards at the same time.
Chehab also shifted his team's focus from traditional security metrics to a key business outcome: instilling customer confidence in Postman's security posture to accelerate deals. This redefined how the team measured success.
The business impact extended beyond faster deal cycles. Prior to obtaining third-party validation of baseline security controls and confirmation of their compliance (achieved in 2026), when Postman sought to enter the healthcare market, they needed to sign Business Associate Contracts and Agreements requiring demonstrable data security practices. Wiz's Data Security Posture Management capabilities allowed Chehab to scan their entire environment and provide the necessary assurance. Healthcare deals that were previously blocked became possible.
To further accelerate customer acquisition, the security team built AI-powered automation to handle security questionnaires. While their SLA is seven days, the actual average response time is now 32 minutes—a dramatic improvement, eliminating friction in enterprise sales cycles and requiring less overhead for Postman customer-facing teams to go back and forth with their security colleagues.
A Complete Security Transformation
Six months into its security modernization, Postman has fundamentally reshaped its security operations. By treating transparency as a key differentiator and embedding security throughout the development lifecycle, Postman shifted its program from reactive monitoring to proactive protection. This transformation made security a direct enabler of revenue, rather than just a compliance requirement.
Key results include:
Elimination of Critical Issues: Postman joined the "Zero Critical Club" by eliminating all 30 critical issues.
Sustained Low Risk: They consistently maintain just 3-5 high-severity open issues.
Improved Efficiency: The signal-to-noise ratio drastically improved, cutting vulnerability prioritization tenfold—from 10,000 findings to 1,000.
Leveraging Wiz, Postman's security team fulfills its core philosophy: staying out of the developers' way while ensuring that every line of code, cloud resource, and runtime process meets the stringent security standards required.
