How Shopify Responded When the AI Attack Surface Outpaced Security
As AI adoption accelerates across engineering teams, security leaders are facing a familiar but intensified problem: an AI attack surface that grows faster than human capacity.
New tools ship faster. Code changes more often. Vulnerability reports arrive in higher volume and with more complexity. And the expectation remains the same: sort signal from noise without burning out the people doing the work.
That was the reality Shopify found itself in as AI became part of everyday development. It was a challenge of scale.
Shopify approached that challenge by rethinking how humans and AI could work together to turn an overwhelming flow of security reports into clear, confident action.
The Challenge: When the AI Attack Surface Outpaced the Inbox
By the time Jill Moné-Corallo stepped in to lead Shopify’s bug bounty program, the team was already operating at full throttle.
Fewer than ten analysts were responsible for reviewing hundreds of vulnerability reports each week. Each report required careful reading, historical context, and consistent judgment. Some affected a single merchant. Others could impact millions.
As Shopify’s engineering teams leaned further into AI, the AI attack surface expanded alongside them. Reports became longer, more verbose, and harder to parse. Analysts found themselves rereading submissions, chasing unclear reproduction steps, and manually checking years of precedent to ensure consistency.
Inbox zero felt out of reach. Onboarding a new analyst could take close to eight months. And the cognitive load of repetitive triage work increased the risk of burnout.
This was not a tooling gap. It was a human scalability problem.
The Action: Using Agentic AI to Support Human Judgment
Instead of treating AI as a replacement for analysts, Shopify treated it as a teammate designed to handle the most grueling parts of the workflow.
In a recent webinar with HackerOne, Moné-Corallo specifically emphasized AI’s impact when onboarding new analysts.
[wisita:fpxulorhah]
Beyond onboarding, agentic AI systems were introduced to perform first-pass analysis on inbound reports. Their role was simple but powerful: read everything, remember everything, and surface what matters.
These systems helped distill verbose submissions into their core issues, flag similar historical reports, and highlight where additional clarification was needed. Analysts could focus their attention on the specific technical questions that required human judgment.
“It really enabled us to trudge through those more verbose reports where you get lost in the weeds,” Moné-Corallo said. “The tool can tell us, ‘Here’s the one line we should tease out,’ instead of us spending hours stuck in the pile of reports.”
Over time, this created a rhythm. Analysts learned where AI outputs were reliable and where a second look was needed. AI was used to check consistency, reduce repetition, and bring objectivity to scoring discussions without overriding human context.
The Results: Clarity, Confidence, and Capacity
As the workflow matured, the impact became visible across the program.
- Shopify reached inbox zero for the first time in months.
- Boosted validation, reproduction, and researcher communication by 62%.
- Analyst onboarding time was cut in half, dropping from roughly eight months to four.
- Response efficiency stabilized and improved, even as report volume remained high.
For Moné-Corallo, the most meaningful change showed up in how the team felt about their work.
“One of the things that has given me peace of mind for the team is that AI has lifted some of the burden off their shoulders and can make them go the distance more,” she said.
Analysts spent less time stuck in repetitive triage and more time applying their expertise, communication with researchers became more consistent, engineering teams received clearer guidance, and leadership saw a program that could absorb growth without grinding people down.
In a landscape where the AI attack surface continues to expand, Shopify used AI to gain breathing room.
What This Means for Security Teams Facing AI Scale
Shopify’s experience highlights a pattern many security leaders are recognizing: scaling security in the AI era is about empowering humans in the loop.
Agentic AI works best when it turns raw input into structured context, reducing cognitive load. When it helps teams move from drowning in information to acting on insight.
For organizations navigating a growing AI attack surface, the takeaway is simple:
- Start with the work that drains your team the most.
- Use AI to support clarity and consistency.
- Let humans stay focused on judgment, impact, and trust.
That is how security keeps pace when everything else accelerates.
Read the full Shopify case study to see how this approach played out in practice
