From Two Years to Two Weeks: How Labelbox Erased Its Security Debt with Snyk's AI-Accelerated Remediation

Key highlights: 

• Unresolved high-severity SAST issues → cleared in 2–3 weeks

• Efficiency gains and time freed up 

• New level of confidence gained with automated validation

For leaders tasked with owning the security program at their organization, the reality is often a balancing act. Juggling pen test findings, cloud misconfigurations, and a growing SAST backlog that all demand attention leaves you constantly running scenarios in your head.

If you’re considering ways to burn down your backlog without burdening the engineering team with false positives. Aaron Bacchi, Security DevSecOps Engineer at Labelbox is just like you. See if you can steal a page out of Aaron’s book and supercharge your processes with Snyk’s AI-powered development workflows. 

The challenge: A growing backlog, limited bandwidth

At Labelbox, Aaron Bacchi serves as the lead security engineer, championing his team’s efforts and safeguarding the organization by overseeing the security program end-to-end. One of the challenges Aaron faced was the time required to validate and confirm lower-priority SAST findings. High-severity, exploitable issues were always prioritized and quickly remediated, but the volume of less critical findings created noise that, without additional context and prioritization, slowed progress and contributed to a backlog that was difficult to chip away at.  

“The engineering team's time is valuable, so I have to carefully choose which security issues get put in front of them to address. Giving them an issue that could have been easily validated as non-exploitable hurts my credibility and feels embarrassing when that happens.”

The impact: Snyk MCP + Cursor is a game-changer

Everything changed when he paired Cursor with the Snyk MCP server. Aaron soon realized he had a force multiplier and was able to do the work without increasing headcount. Aaron transformed backlog vulnerability management from a multi-year slog into a matter of weeks. 

“Before MCP, our SAST backlog had a growing number of issues, and without additional context, it was hard to tackle. Realistically, it could have taken me a full calendar year to address them using our traditional workflows.” 

Aaron had been using Cursor in his daily workflow and decided to test it in combination with Snyk’s MCP server to tackle the SAST backlog.

“I was already using Cursor every day — it already made me more productive. Once I paired it with Snyk MCP and pointed it at the backlog, it just clicked.”

What started as an experiment quickly turned into an ‘aha’ moment. 

The real magic came when issues were validated. In a single Friday session, Aaron identified 12 issues that could be resolved because of mitigating layers of security— something that could have taken weeks of back-and-forth with the engineering team. 

What once felt impossible became a fast, repeatable process. 

Aaron systematically worked through vulnerabilities, applying fixes and validating them with MCP re-scans. Aaron fed the issue context into Cursor and watched the workflow play out.

“Cursor would attempt a fix, rescan with Snyk, and if it didn’t work, it would try another fix until the issue was resolved," noted Aaron. “That gave me confidence that the vulnerability was really addressed.”

Labelbox gained a new level of confidence through automated validation.

The backlog that once seemed impossible became a fast, repeatable process. Within two weeks, Aaron had worked through the remaining high-severity issues, tested fixes in development to ensure that the application functionality remained intact, and passed them through QA into production. 

“I was able to burn through it in just a couple of weeks; I finally feel confident that I can remove our security tech debt,” recalled Aaron. “My manager was ‘thrilled’ and ‘impressed’ as well. He saw that I was taking work off engineering’s plate and confidently making changes in the platform codebase.”

The backlog-busting workflow

• Identify: Pull issue details from the Snyk application and open the repo in Cursor.

• Validate: Ask Cursor to scan the repository to get the latest security issue context from Snyk via MCP and evaluate the likelihood of an exploit to determine its priority.

• Fix: For issues that should not be suppressed, run Cursor in agent mode to propose and test code changes.

• Verify: Snyk MCP re-scans to ensure the issue is resolved.

• Test & deploy: Aaron tests the fix in development, records a Loom video to show functionality, and hands it off to QA for staging and production.

“This workflow gives you ammunition. Whether you’re fixing issues yourself or bringing context to engineers, it saves time and helps you influence priorities. I’d tell my peers, if you can use it, I’d say absolutely try it.”

For Aaron, this isn’t just about backlog reduction — it’s about redefining what security teams can accomplish with AI-powered workflows. “This was transformational. For the first time, I feel confident I can get to zero.”

AI can supercharge your developer experience

Aaron led a transformation that transformed security from a bottleneck into an accelerator, freeing up his team's bandwidth to focus on the next frontier: preventing vulnerabilities from being created in the first place. 

This is the other half of Snyk’s AI-driven development story, Secure at Inception. The same AI-native workflows that fixed the backlog can now be used to guide developers to write secure code from the very first prompt, ensuring a backlog like this never builds up again.

“I’m excited about applying AI to areas like least privilege for service accounts and incident response. Now that I have established a mature security foundation, I’m able to more easily focus on strategic threats.”

Labelbox now has a stronger, more strategic security posture that empowers developers to build secure code with confidence.

Want to learn how to solve similar issues? Install Snyk MCP Server today or read more Snyk success stories like Labelbox’s on our Customers page.