Affirm Reduces Manual Security Response Efforts by 50% with AWS Partner Expel

Affirm’s mission is to deliver honest financial products that improve people’s lives. Trust and transparency are at the heart of the company’s operations, and this extends to its cybersecurity program. “Our core values, which include ‘people come first’ and ‘no fine print,’ touch every part of the business,” says Sneha Regmi, director of security operations engineering at Affirm. “We make every decision—whether it’s about products, infrastructure, or operations—with security in mind. Protecting sensitive financial data is central to earning and maintaining our customers’ trust.” In fact, robust security features are a main reason Affirm chose AWS for its cloud environment.

Affirm initially used manual detection and response processes. Logs were not centralized across AWS environments, making it difficult for the security team to gain a comprehensive view in a timely manner. Various tools and log sources lacked seamless integration with AWS to correlate information across its distributed environments, which made scaling security operations difficult. As Affirm grew, security monitoring increased in complexity and volume. Security engineers and analysts faced alert fatigue from spending excessive time and energy in manually analyzing various cases. To address these challenges, Affirm needed an integrated solution to streamline workflows and enhance response times. The company also wanted to supplement its existing security operations team with added support that would help to dramatically enhance the existing monitoring capabilities, allowing the team to focus on higher-value engineering initiatives.

After exploring their options, the Affirm team selected Expel MDR, a service that blends AI and automation with human expertise to streamline security operations. It uses advanced automation capabilities to handle routine tasks such as log collection, normalization, and correlation, reducing the manual effort required by Affirm's security team. The service also incorporates machine learning and advanced analytics to identify potential threats and anomalies more effectively. With 24/7 real-time threat monitoring and response, Expel’s service determines which alerts are genuine and surfaces context-rich, actionable alerts to Affirm. During onboarding, Expel aligned its workflows with existing processes at Affirm to minimize disruptions. Expel’s customizable service integrated seamlessly with Affirm’s existing tools to streamline detection and response workflows. It centralizes logs and detections across services like Amazon GuardDuty, AWS CloudTrail, and Amazon Simple Storage Service (Amazon S3) in a unified system for analysis. Affirm engineers retained control over their operations and developed custom detections that Expel helped refine and integrate into the broader system.

Today, Expel handles the initial triage of day to day alerts and escalates to the Affirm team when deeper analysis is needed for high value complex findings. The company’s security operations platform, Expel WorkbenchTM, acts as a central hub that consolidates all logs, signals, and alerts into a single, easy-to-navigate interface. Affirm can then monitor its AWS environment while seamlessly managing its own custom detections in other applications, such as tracking interesting activities in single sign-on (SSO), Github, and other SaaS applications. Expel also provides additional coverage by augmenting built-in detections with custom logic, like identifying privilege escalation or suspicious proxy IP activity, to address Affirm’s unique requirements. Expel provides automated, consistent, real-time detections for Affirm across its distributed AWS environment. Expel also provides ongoing support through its live 24/7 SOC, including collaborative incident response, threat landscape advisories, and detection development. During significant incidents, Expel acts as an extension of the Affirm team, providing actionable recommendations and aligning responses with the company’s security goals. Regular communication between the two teams helps Affirm maintain a proactive and adaptable security strategy.

By centralizing monitoring across its AWS environment, Affirm streamlined its security operations, aggregating and normalizing data from over a dozen AWS accounts. “Without Expel, we would have needed to hire at least two to three times our current security engineering team to achieve this centralization,” said Guhan Kumaraguru, staff security engineer at Affirm. Expel MDR reduced the need for routine triage, freeing the Affirm security team to prioritize strategic initiatives like refining security strategies and building custom detections. “Today, our engineers manage 50 percent fewer investigations than they previously handled, allowing them to focus on higher-value work,” said Drew Gallis, staff security engineer at Affirm.

At the same time, streamlined workflows and a centralized alerting platform eliminated the inefficiencies of navigating disparate tools. This combination of AI automation and human expertise helped with critical outcomes like mean time to remediate (MTTR), which improved by an average of 40% over the last few years. The collaboration with Expel and AWS helps Affirm quickly address emerging security challenges without overburdening its internal resources, so the team can focus first and foremost on serving and protecting customers. With the support of Expel’s scalable, proactive approach to security operations, Affirm can focus on growing and expanding to new markets, including its recent launch in the UK. The partnership also enables the team to spend more time building and maintaining a proactive and robust security strategy in line with the trust and transparency central to its mission.