How Shopify reached Inbox Zero and cut onboarding by 50% with Hai
As AI expanded Shopify’s attack surface, a four-person security team faced mounting backlog and months-long onboarding cycles. By pairing internal AI agents with HackerOne Hai, Shopify cut onboarding time by 50%, reached inbox zero, and accelerated validation and triage by 62%.
A HackerOne customer since 2015, Shopify has grown into one of the world’s most influential commerce platforms by always staying ahead of what the future demands. When CEO Tobi Lütke stepped up the company’s AI ambitions and declared that “AI is a core responsibility of everyone,” Shopify expanded its use of AI to power developer productivity and new merchant–facing products.
Security needed to match that pace. Instead of scaling with more headcount, Shopify built the AI-driven teammate they needed–keeping one of the industry’s busiest bug bounty programs operating with confidence.
AI sped up development, but not capacity
When Jill Moné-Corallo stepped in to lead Shopify’s bug bounty program in early 2025, her four-person team was already at operational capacity. They received hundreds of vulnerability reports each week. Each submission required careful unpacking, multiple reads, and precedent checking before communicating with researchers.
Eight months to fully onboard a new analyst
Persistent backlog that blocked inbox zero
Rising submission complexity as AI-driven development expanded attack surfaces
Manual, repetitive tasks that increased the risk of analyst burnout
Because a single vulnerability can affect one merchant or millions, the bar for accuracy and consistency never moved. Jill needed a way to scale security operations without losing the judgment, empathy, and precedent awareness that make a world-class bug bounty program run.
AI became the teammate who remembers every report
To scale validation without compromising expertise, Shopify built AI agents trained on the company’s unique tone, history, and scoring precedents. These agents perform the first pass on every report, extracting core issues and giving analysts an immediate understanding of Shopify-specific context.
HackerOne Hai strengthens this foundation with coordinated Agentic AI that turns complex findings into clear, actionable guidance. It adapts to program policies, surfaces similar reports, reinforces consistent scoring, and strengthens communication with the security researcher community. And because Hai operates without bias, it gives Shopify the objectivity to stay true to the definitions of their scoring.
In tandem, they create for Shopify’s team what functions as a teammate who remembers every report. Jill describes, “It’s amazing to see what it does for the confidence of an individual in the role as well as historical precedent… It decreases remediation and that kind of back and forth.”
AWS as the secure AI foundation
Shopify's solution operates within AWS as part of its broader secure-by-design infrastructure. Amazon Bedrock enables Shopify and HackerOne to run AI systems without using prompts or customer data for training. This gives Shopify’s security team confidence that AI can be safely embedded into sensitive workflows while maintaining strict data boundaries.
One of the things that has given me peace of mind for the team that I have is that AI has lifted the burden off of their shoulders and can make them go further.
You’re never really sacrificing confidence — AI can only enhance it. But you do need empathy and humility. Sometimes the model gets it wrong. We own that, learn from it, and teach the model so we keep improving.
Throughout the transformation, human judgment remained the source of truth. AI simply amplified it. The gains achieved with Hai demonstrate how thoughtfully integrated AI can unlock meaningful scale for the business and for the team. But Shopify didn’t stop at using AI to improve security processes– they also partnered with HackerOne through a Live Hacking Event to rigorously test their own AI-powered products, including Sidekick, the commerce assistant that helps merchants grow their business.
Together, Hai and the AI-focused Live Hacking Event helped Shopify set a new standard with a dual approach: treating AI as a tool for security and as an asset to be secured. This shapes Shopify’s broader strategy of pairing innovation with accountability and ensuring that every AI advancement is backed by real-world, community-driven security insight.
For security teams looking to adopt AI in security operations, Jill Moné-Corallo shares:
Start with what you’re comfortable with, especially the areas that are your weaknesses. Taking some of the grueling tasks off your plate builds trust in the system, and from there the world is your oyster.
