Introduction

Mesh Payments, a fintech innovator modernizing travel and expense management, needed a solution that could keep up with its fast-moving development cycles and high security standards. With critical services built in Java and Python, the company faced serious challenges managing third-party vulnerabilities and alert fatigue. The small security team was also responsible for supporting a much larger engineering organization.

Challenges Faced

Prior to Hopper, Mesh Payments used a modern SCA tool and a runtime security solution. While these tools provided some coverage, they failed in key areas:

• Significant backlog and difficulty engaging developers in a way that would drive attention and  remediation 
• Runtime tools missed large parts of the stack, including client-side and serverless
• Runtime insights didn’t trace back to source code and lacked actionable context, leaving developers unsure where to apply fixes

Although vulnerable packages could be identified, the structure of the data was flat and lacked context on how packages entered the codebase or what depended on them. This forced engineers to assess risk and navigate potential breaking changes without clarity on the root cause or remediation path, resulting in what the team described as "dependency hell."

These limitations meant a single dependency alert could consume an entire day of manual investigation and coordination.

Solution Implemented

Mesh conducted a rigorous bake-off, evaluating five leading security tools side by side before selecting Hopper. The team chose Hopper for its ability to provide early visibility into issues, especially within third-party components, and to tie vulnerabilities back to their root cause with actionable remediation guidance. Hopper became the team’s source of truth for open-source security, delivering low-noise, developer-ready insights that complemented their existing runtime tools.

A game-changing moment came when Hopper identified a critical Java vulnerability in a large monolithic repository, before the runtime tool did. Thanks to Hopper’s call graph and reachability analysis, the responsible developers could immediately see where to fix the issue. The fix was deployed to 20 repositories within just a few hours.

Hopper pinpoints vulnerabilities to the exact function, file, and package, with full call graphs and context. This eliminates guesswork and manual investigation, giving developers precise remediation guidance. The security team also reported better collaboration with DevOps and engineering, thanks to more accurate and developer-friendly findings.‍‍

"Hopper's reachability functionality is a gamechanger. Even with our runtime tools, it still really matters to know the reachability in our codebase, enabling the 'shift left' in our security program."

— Omri Vaizman, Senior Security Engineer, Mesh

Results Achieved

Hopper's implementation brought immediate and measurable improvements:

• 83% noise reduction, enabling the team to focus on real threats
• 70% reduction in security backlog within 3 months
• 3x improvement in Mean Time to Remediation (MTTR), thanks to early and contextual alerts
• Hopper matches runtime results 100% of the time, without being a runtime tool
• 80% time savings on triaging dependency-related alerts
• Improved cross-functional collaboration between security, DevOps, and developers

Hopper’s ability to analyze dormant code paths, full dependency trees, and source-level mappings provided broader and deeper coverage than runtime tools. Unlike runtime SCA, which relies on production traffic and sampling, Hopper uses static analysis at build-time to deliver real, actionable results across any environment.

"Using Hopper, we were alerted to a critical issue in Java, before our runtime tool, and we were able to fix it in 20 repositories within a few hours, rather than the days or weeks it used to take to remediate."
‍
— Omri Vaizman, Senior Security Engineer, Mesh

Conclusion

With Hopper, Mesh Payments turned a reactive security posture into a proactive one. Function-level insights, zero-noise evidence-based alerts, and agentless deployment made Hopper a must-have for the Mesh security team. Hopper didn’t just match the runtime experience, it expanded on it, delivering coverage and precision that Mesh had never seen before.

‍

Key Results