Mondoo
All Case Studies
SimpleRoseTechnology

SimpleRose automates security with Mondoo across entire tech stack

How a high-performance optimization company achieved real-time, centralized visibility into the compliance and configuration of their diverse tech stack.

St. Louis, Mo
Cloud: AWS
Reduction in Manual Work
What used to be multi-step, manual, and siloed workflows are now clear, actionable paths to resolution with automated patching of affected systems.
Significant Decrease in Vulnerabilities
Instead of a sea of red alerts with no clear path forward, after fully implementing Mondoo with automated policies, there are now only a handful of issues at a time.
Optimized Attention Focus
SimpleRose can now focus on what actually needs remediation and apply the granularity to create custom policies to fit their business needs.
Repeatable and Automated Remediation
SimpleRose now benefits from an automated and repeatable process to deal with vulnerabilities and misconfigurations across their entire tech stack.

About the Customer

SimpleRose helps teams tackle the world's most complex planning and scheduling problems — faster and in fuller detail. Whether organizations are looking to accelerate their existing optimization models, build a tailored decision support system, or explore SimpleRose's next-generation solver, SimpleRose helps their customers spend less time simplifying and more time solving.

Cloud Platform
AWS
SaaS Tools
Google Workspace
ITSM
GitHub Issues
Infrastructure as Code
Terraform
Compliance Requirements
SOC 2, GDPR, CCPA, PCI DSS

Cloud-First IT Infrastructure

SimpleRose is a cloud-first organization with infrastructure primarily on AWS, structured through multiple sub-accounts managed under an AWS Organization and aligned with best practices for workload separation and security. SimpleRose employs cloud-native development practices and designs its applications for scalability, resilience, and observability, leveraging containerization and infrastructure-as-code within AWS.

SimpleRose's security function is embedded within the broader IT and operations teams. While not a standalone department, they operate a cross-functional team approach involving security champions from Engineering, Compliance, and IT, coordinated through the Rosarians — SimpleRose's team for Security, Ops, IT, and Compliance.

Security Challenges

One of SimpleRose's biggest challenges was achieving real-time, centralized visibility into the compliance and configuration of their diverse and rapidly growing tech stack - including cloud infrastructure, endpoints, SaaS platforms, and developer tooling.

Although we had strong perimeter and endpoint protections in place through tools like CrowdStrike and Cloudflare, and we had Vanta to validate basic workstation compliance (e.g., password lock, encryption, antivirus, screen lock [PEAS]), all these solutions worked in silos.

Todd Bradfute, Senior Director of Security & Technology at SimpleRose

SimpleRose lacked a unified platform that could provide deep insights into the broader compliance posture of their systems, such as:

  • Patch status and software versions
  • File permissions and system configurations
  • Cloud services configuration and container security
  • Web asset security posture (such as misconfigured domains or cloud services)

As we scaled up cloud-native services and moved faster in CI/CD pipelines, these blind spots became more pressing. We needed a way to not just check boxes for compliance, but to validate the actual state of systems in a developer-friendly, extensible way — and Mondoo gave us that.

Solution: Mondoo

When Todd heard about Mondoo's Policy as Code solution at DevOpsDays, his interest was immediately sparked. That, coupled with Mondoo's ease of use, got SimpleRose quickly hooked.

With Mondoo, SimpleRose can now view their compliance status across different types of tools and assets in one place. Although they already had other tools that provided high-level insight, Mondoo goes much deeper into config-level verification, providing both breadth and depth.

We were already using tools like Vanta to validate foundational workstation compliance, but we needed to go beyond high-level controls and into the specifics — like verifying if file permissions were correctly applied, patch versions were up-to-date, and Docker configurations followed best practices.

Todd Bradfute, Senior Director of Security & Technology at SimpleRose

With Mondoo, SimpleRose Now Gets:

Central and Deep Visibility

Consolidated compliance insights from diverse environments (e.g. laptops, AWS, DockerHub, internal web services), with deep config-level verification.

Customizable and Scalable Policies

SimpleRose can write and customize policies as code, making it easy to tailor checks to their specific internal standards.

Automated Security Pipeline

Smooth integration with their CI/CD and infrastructure pipelines enable security-as-code without blocking developer velocity.

Clear Actionable Paths to Resolution

Streamlined remediation processes that bridge the gap between detection and action.

Mondoo gives us a razor sharp answer for how to address identified problems.

Todd Bradfute, Senior Director of Security & Technology at SimpleRose

Implementation

Mondoo was very easy to deploy. I had workstation scanning running literally within an hour of seeing Mondoo's presentation at DevOpsDays. Connecting to our other environments was also pretty effortless.

Results

With Mondoo, SimpleRose achieved:

Reduction in Manual Work
What used to be multi-step, manual, and siloed workflows are now clear, actionable paths to resolution with automated patching of affected systems.
Significant Decrease in Vulnerabilities
Instead of a sea of red alerts with no clear path forward, after fully implementing Mondoo with automated policies, there are now only a handful of issues at a time.
Optimized Attention Focus
SimpleRose can now focus on what actually needs remediation and apply the granularity to create custom policies to fit their business needs.
Repeatable and Automated Remediation
SimpleRose now benefits from an automated and repeatable process to deal with vulnerabilities and misconfigurations across their entire tech stack.

Remediation Process

1

Mondoo reports on the worst offenders.

2

SimpleRose targets the best ones to fix.

3

SimpleRose uses RMM (for workstations), IaC (for workloads), and Terraform (for cloud tooling) to deploy fixes, using Mondoo's remediation code snippets.

4

Mondoo rescans and shows if the score improved.

Conclusion

The key business drivers for SimpleRose adopting Mondoo centered around the need to unify and deepen compliance and configuration visibility across a rapidly growing tech stack, but Mondoo has delivered far more than that. With an automated, repeatable remediation process, SimpleRose has been able to reduce manual work, accelerate remediation, and ensure the most critical exposures are resolved quickly.

Mondoo Policy as Code and integration into the SDLC has also helped SimpleRose introduce security into their development process, catching security issues early without compromising on speed.

Mondoo became our bridge between technical configuration and policy requirements, which is critical for scaling secure operations without introducing friction.

Todd Bradfute, Senior Director of Security & Technology at SimpleRose

No matter where you are in your security journey, Mondoo meets you there. For those with existing tooling, Mondoo has had an answer for every tool we've needed to support. For organizations that know they have to support lots of different frameworks, Mondoo has been a great partner to grow with.

Todd BradfuteSenior Director of Security & Technology at SimpleRose

Mondoo enhances our ability to monitor, validate, and enforce security policies across all our IT surfaces from a single platform.

Todd BradfuteSenior Director of Security & Technology at SimpleRose

Ready to Transform Your Security?

See how Mondoo can help your organization achieve similar results.

Get DemoMore Case Studies