How PROS rewired product security achieving a 400% lift in design review coverage and design-to-code visibility
H.01
Scaled coverage 400% without adding headcount, replacing manual reviews with automated, continuous coverage across teams.
H.02
Consistent, high-confidence threat modeling applies the same STRIDE and ASVS standards across every product.
H.03
Unlocked visibility from design to code, exposing changes, drift, and development activity that were previously out of sight.
IndustryTechnology
RegionNorth America
Integrations
Intro
As a leading provider of AI-powered SaaS pricing, CPQ, and revenue management solutions, PROS helps companies around the world optimize every shopping and selling experience. With decades of industry expertise and a reputation for innovation, PROS has consistently embraced technology to stay ahead of market change. As engineering teams accelerated development through AI and automation, the security architecture group saw an opportunity to evolve as well. The goal was not only to keep pace with this speed, but to strengthen the depth and quality of product security reviews and build a process that could scale as fast as innovation itself.
By adopting Clover, PROS introduced design-led product security as a continuous part of development. Automated reviews now run directly within the tools engineers already use, enabling consistent, high-quality threat modeling at scale. Additionally, the team has unlocked visibility from design to code, which not only gives them insight that was never possible before, but also makes them proactive in identifying where they can provide the most support to their internal stakeholders.
challenges
Manual reviews don’t scale
With roughly a 30:1 developer-to-product security ratio and only one or two people dedicated to product security, the team couldn’t manually review every design or release. Quarterly, documentation-heavy reviews consumed hours per team and left security without a sustainable way to cover the full scope of product change.
Inconsistent threat modeling across teams
Security reviews relied on each team’s own interpretation of requirements, producing uneven quality and depth. Some groups had strong security expertise while others struggled to apply frameworks consistently, making it hard to maintain a uniform security baseline.
No visibility across design and code stages
Once development progressed beyond design, security had no clear view into code-level changes or code changes without a correlating design artifact such as a PRD or ticket. This created blind spots in understanding how designs were implemented and where unreviewed changes could introduce risk.
solutions
Automated reviews embedded in the tools teams already use
Clover integrated directly with Confluence, Jira, Bitbucket, GitHub, and Teams running design reviews automatically within each team’s existing workflow. Reviews happen silently in the background, eliminating the need for manual documentation and allowing security to scale coverage without disrupting developers.
Standardized threat modeling for consistent coverage
Clover automated STRIDE-based threat modeling and mapped findings to OWASP ASVS, ensuring every team applied the same framework regardless of individual experience. Security requirements are now generated automatically per feature, providing consistent, high-quality coverage across all products.
Correlating design and code for real-time visibility
By connecting design artifacts with code repositories, Clover surfaces untracked code changes and design-to-code drift. Security can now see where development activity is happening without a corresponding design review, enabling proactive outreach and faster risk detection.
Scale
Scaling security to match pace with engineering
At PROS, the security architecture team wanted to bring security in step with the speed and innovation of engineering. With a roughly 30:1 developer-to-security ratio and only a small number of people focused on product security, quarterly manual reviews could no longer keep up with continuous releases. Each review required hours of documentation and coordination, and only a limited number of design changes could be covered. The team set out to find a way to scale reviews, maintain depth, and keep engineers focused on delivery.
quote
“What stood out to us was how Clover meets developers exactly where they work. Whether it’s Confluence, Jira, or GitHub, reviews happen within the tools our teams already use. It fits naturally into how engineering operates. Clover embodies what shift left should look like. It doesn’t throw new tools at developers. It integrates seamlessly into their environment, letting them focus on building while security happens in the background.”
With Clover, reviews now run automatically in the tools engineers already use. Designs created or updated in Confluence and Jira are analyzed in real time, removing the need for manual documentation and repetitive review steps. Security feedback appears directly in context, allowing teams to address issues immediately. This change has expanded review coverage by more than 400 percent without adding headcount, enabling security to keep pace with development while maintaining the same level of depth and consistency across products.
Threat modeling
Delivering exceptional threat modeling, every time
At PROS, security and engineering teams were already performing strong, detailed design reviews, but there was still natural variation in how threats were identified and prioritized. Even the most experienced engineers approached reviews differently depending on the product, the timing, or the specific context of a release. The security architecture team wanted to eliminate that variability and bring a new level of precision to its process, standardizing how threats were analyzed and ensuring exceptional quality every time, regardless of who performed the review.
quote
“I’ve always believed that if you start security early and do it right, you avoid mistakes later, but scaling threat modeling has always been impossible. We tried training, we tried throwing people at it, and it never worked. When I first saw Clover, I was skeptical it could scale threat modeling. But it works. Even our toughest critics, the architecture team, said this will revolutionize how we work with developers.”
With Clover, PROS brought consistency, objectivity, and depth to its design reviews. The platform automates STRIDE-based threat modeling, applies OWASP ASVS standards, and generates security requirements per feature automatically. Each review now follows the same rigorous framework, ensuring that every product meets the same high bar. This shift removed the variability inherent to manual analysis and raised the overall quality of threat modeling, giving security and engineering shared confidence that every design is reviewed with the same precision and completeness.
quote
“Clover automated our STRIDE-based threat modeling and aligned it with OWASP ASVS. It gives every team the same depth and structure of review, delivering exceptional quality every time. Before Clover, every review reflected the person doing it. Now, threats are assessed consistently and objectively. Every product is reviewed to the same high standard, without the variation that naturally comes with manual work.”
Design to code
Pulling back the curtain: visibility from design to code
Before Clover, once development moved beyond the design stage, security had little visibility into how designs translated into code. Changes sometimes occurred without a matching design artifact such as a PRD or Jira ticket, leaving potential blind spots in understanding how risks were being addressed. The team wanted to connect design and implementation in a single view to understand what was changing, where, and why, and to identify unreviewed work before it could introduce risk.
quote
“Even though we had many tools, this problem was solved for the very first time with Clover. We can now clearly see what kind of changes our development teams are making in code, how those changes align with design artifacts, and where additional focus is needed. It gives us a level of visibility we simply didn’t have before.”
Clover connected PROS’s design documentation and ticketing systems with its code repositories, correlating every design element to its implementation. The platform automatically surfaces untracked commits, design-to-code drift, and development activity happening outside approved designs. This gave security the context it had been missing, transforming design reviews from point-in-time checks into a continuous view of product risk. With this new visibility, security can proactively identify where guidance or intervention is needed, closing the gap between design intent and implementation.
Next for pros
Securing the next frontier of AI-native development
As PROS continues to expand its use of AI in software delivery, the focus is shifting toward understanding how to secure AI-generated code and the growing ecosystem of internal agents and third-party tools. The organization is exploring ways to prevent policy drift as prompts and models begin to make implementation decisions, and to bring greater visibility into where and how AI is being used across products. Together with Clover, PROS is shaping what secure AI-native development looks like, balancing speed and innovation with the guardrails needed to keep every line of AI-assisted code aligned with organizational standards.
Engineering and product teams are making critical security decisions daily, but security just can’t keep up. Too many product changes; too few security engineers to go around.
That was then. Let’s scale your ProdSec team.
Book a demo
By submitting this form, you consent to allow Clover Security to store and process the personal information submitted above to provide you the information requested in accordance with our
privacy policy.
