Asana catches security risks before anyone writes a line of code with AI Teammates

Security is what makes it possible to build and ship software with confidence. But in fast-moving engineering teams, it can drift into an afterthought—a final hurdle before launch rather than a voice at the table from day one. Varun Prusty, staff security engineer on Asana's security architecture team, believed it didn't have to work that way, so he built something to prove it.

Varun’s solution was an AI Teammate that works alongside him at every stage of the software development process, from the first idea to the final release.

The result: one engineer with the reach of a team 10 to 15 times his size.

Keeping pace with security reviews in a fast-moving engineering organization

As Asana's engineering org grew, so did the volume of products and features needing security review. With a small team, some conversations were happening too late in the process—after designs were finalized and code was written—when changes are hardest to make.Varun's goal was straightforward: get security into the conversation earlier, at every stage, for every team.

It's given us the bandwidth, scaled our team, and enabled us to focus on what we enjoy. It's almost like a mini-me coworker.”

Putting AI Teammates to work across the software development process

Varun built his workflow inside an Asana project, mirroring how Asana's engineering teams actually build software. Each phase of the process is powered by AI with a human check before anything moves forward.

Step 1: Security guidance before the design process even starts

When an engineering team member has a new feature idea, they submit it through an intake form in Asana. An AI Teammate reads the description, cross-references Asana's known risks, past security reviews, and internal security standards, and responds with a plain-language list of things the team should think about before they start designing.

This happens automatically, the moment a submission comes in. No waiting for a security engineer to have a free moment. Teams get guidance at the start, not a surprise at the end.

"Security needs to be a collaborator at every part of the software development lifecycle, starting from the inception of an idea to the delivery," Varun said.

Step 2: A full security risk review before anyone writes code

Once a team has a design document for the feature, they bring it back to the process. The AI Teammate first checks that everything needed for the security review is included—like architecture diagrams, data flow diagrams, and a record of the security requirements from Step 1. If anything is missing, it asks the submitting team for it before going further.

Then the AI Teammate does a full risk review. Drawing on past security reviews, known bugs, and Asana's data policies, the AI Teammate works through the design and sorts the risks it identifies into three buckets: must fix before launch, fix soon after launch, and nice to have. It provides the security and engineering teams context and rationale behind how it assessed the risks and offers suggestions and follow-up questions.

From there, Varun and the engineering team go through the findings together and answer the AI Teammate’s questions. They reply in comments to provide context, accept certain risks, and agree on what needs to be addressed. Both teams own the outcome.

"The final deliverable is a comprehensive set of risks and their severity, so the whole team, including security and engineering, is aligned," Varun said.

Step 3: A final human check before anything ships

Once the design is approved and the team has built the feature, the process hands off to a real security engineer for a final review. This isn't a full re-review; it's a confirmation that all the agreed-upon risks have been addressed and all the boxes are checked.

The human makes the final call.

Now it kicks it over to one of our team members—the final human check, cross your T's, dot your I's.”

Security reviews at every stage, for every team

Security reviews that once took days now start the moment a team submits an idea. Every engineering team at Asana, regardless of time zone or sprint schedule, has access to security guidance at every stage of development, not just when a security engineer happens to be available.

And all of this documentation improves the next feature review."There's this flywheel effect,” said Varun. “AI just has more context, and more context, and more context.”

The repetitive parts of security work, the conversations that happen the same way across dozens of teams, are handled by AI. Varun and his team spend their time on the work that actually needs their expertise.