u/Affectionate-End9885

We’re a mid-size fintech, about 80 engineers, mostly java and node on EKS. We have a security team of 4 and we're drowning in CVE tickets.

I've been pushing to move to minimal base images, cut the noise at the source. Security leadership gets it but the engineering VP keeps coming back with what if we need those packages someday. Like the curl binary inside a java runtime is suddenly load-bearing.

We're burning sprint cycles triaging vulns in packages we've literally never imported. Its absurd and nobody on the engineering side seems to feel the cost cause the tickets land on security, not them.

Anyone cracked this with leadership?

Skipping the mature security program preamble. We have one. It still doesn't cover this.

Here's what we have for AI/browser security right now: Bedrock guardrails on LLM inputs, prompt classification with output sanitization, an egress firewall with consumer whitelisting, OAuth and HTTPS everywhere. Its great on paper, but for the browser layer, I can say we effectively have nothing.

All of the above is infrastructure-side. The moment a user opens a non sanctioned AI tool, installs a clipboard exfiltrating extension, or pastes a customer record into some random GPT wrapper, we see none of it and so cannot enforce anything.

This isn't a config problem. It's an architectural gap. Network controls are blind to last-mile browser activity by design.

CASB doesn't go deep enough. Endpoint DLP doesn't inspect what's typed into web apps. SSE proxies break half our SaaS stack.

Everything I find needs a network rebuild (which I am not thrilled to pitch to the team) or only covers already sanctioned apps.

Been at this for six months. Started with random ChatGPT tabs and people forwarding stuff to personal Gmail to just run it through Claude real quick.

Did the training, updated the AUP, blocked some domains, yet nothing stuck. Last quarter found marketing running an entire workflow through personal perplexity accounts.

It's not just prompts either. Folks uploading client decks straight into AI tools, half the org has at least one sketchy AI assistant extension installed, people signing into Notion AI with personal Google so SSO doesn't even see it.

Looked at several solns, before shortlisting nightfall and layerx. Found nightfall is mostly API-based,, works great for SaaS scanning, but doesn't really help when someone's typing into a ChatGPT tab in real time.

We are now in final stages of evaluating layerx but before we commit, wanted to ask what you guys think about it. Anyone running layerx in production? Mainly want to know how bad policy tuning gets at scale. Thanks a bunch!!