Cybersecurity · Embedded AI Product Consulting
Cut Vendor Risk Reviews from Hours to Minutes and Shipped 10 AI Agents in One Quarter
SecurityScorecard's customers were spending two to three hours manually inspecting each vendor portfolio, writing remediation emails, and chasing down risks across hundreds or thousands of vendors. One financial institution told us it cut their workflow down to 2-3 minutes. I joined as an embedded AI product consultant, narrowed an ambitious but unfocused 20-agent mandate down to 10 that mapped to real customer pain, and shipped all 10 into private beta in under three months. One customer started using the agents exclusively to write every vendor remediation email. The agents became the fastest path from risk identification to vendor action in the platform.
01
The Situation
SecurityScorecard is a cybersecurity platform that helps companies monitor and manage risk across their vendor portfolios. The customers using the product are typically compliance and cyber risk professionals, not deeply technical cybersecurity people. Their job is to identify risks, communicate those risks to vendors, and get vendors to actually fix them.
The manual version of this work is brutal. Each portfolio can contain hundreds or thousands of vendors. Inspecting a single portfolio, writing up the findings, and drafting remediation emails to vendors took two to three hours. And there is never zero risk, so this work never stops.
Leadership wanted AI agents to automate parts of this workflow and had set an ambitious target: 20 agents, fast, to stay ahead of competitors entering the space. The number was arbitrary. There was no AI product leader in the organization, no validation process for what the agents should actually do, and no existing infrastructure to support rich agent experiences in the product. The platform's AI surface area was a chatbot, and other product teams did not have bandwidth to build anything beyond that.
02
What I Did
Killed the arbitrary number and found the real problems.
The first thing I did was throw out 20 agents and work backward from actual customer pain. I partnered closely with customer success managers and solutions architects, the people hearing frustrations every day, to identify where customers were losing the most time on work that did not require human judgment. Then I ran direct customer conversations to validate which pain points were the most tedious, the most time-consuming, and the most clearly automatable. We landed on 10 agents, each mapped to a specific workflow problem that customers described in their own words.
De-risked every agent with continuous customer feedback before committing to production code.
I recruited 9 beta customers, mostly through a newsletter campaign and CS/SA relationships, and ran live prototype sessions multiple days a week for the duration of the build. Customers used real workflows in working prototypes while we watched where friction and delight showed up. We fed this signal back into active development every week, sometimes editing requirements on tickets that were already written and sometimes catching problems before engineering started. This was not user research as a phase. It was a continuous signal loop inside the build cycle.
Designed the AI experience around the actual user, not the technology.
The users are compliance and risk professionals, not cybersecurity experts. The agents had to take questions from non-technical users, pull the right cybersecurity risk data, and explain it back in plain English that users could act on and forward to vendors without losing accuracy. The output had to be accessible to non-specialists while still rigorous enough for a CISO. With only a chatbot surface and no rich UI support, outputs had to be crisp and structured enough to copy directly into emails and reports.
Shipped a read-only v1 to prove value before building expensive integrations.
There were real API constraints. The platform had manual features but no write-back APIs for agents to save into those workflows. Rather than block launch for quarters, I scoped v1 as read-only: agents did analysis and generated output, and users moved results manually. Even read-only cut portfolio inspection from hours to minutes. That validated value early and gave us usage data before committing to deeper integrations.
03
The Outcome
- $1.8M+in combined expansion and renewal contract value
- 10AI agents shipped into private beta in under one quarter
- 2-3 hours to minutesportfolio review time reduction
- 9beta customers actively testing
The AI agents helped drive over $1.8M in combined customer expansion and renewal contract value, including $1.26M in renewal TCV and a $550K upsell.
We shipped all 10 agents into private beta in under three months with 9 recruited customers actively testing them. Portfolio risk reviews that took two to three hours dropped to minutes. One customer adopted the agents as their exclusive tool for writing vendor remediation emails, fully replacing their manual process.
Beyond direct customer impact, the process shifted how SecurityScorecard leadership thought about AI. The original 20-agent mandate became 10 high-quality agents backed by an orchestration fabric, a strategic reframe that set direction for the 2026 AI roadmap. The speed came from de-risking, not despite it.