How Diana Reduced a $40,000 Security Audit to Hours

For the last five years, our team at Xipe has worked with an international company that operates across five countries: the United States, Argentina, Brazil, Colombia, Mexico, and Uruguay.

The company runs a complex financial ecosystem responsible for billing and bank reconciliation across all regions, which means reliability and security are critical. The software stack spans multiple generations of technology, including .NET Framework 4 through modern .NET versions, with jQuery and Blazor used on the frontend.

Over time, the system grew into a distributed environment maintained by four different software vendors, each responsible for different parts of the platform. As expected in long-running systems, this created a new challenge: keeping the ecosystem secure and up to date.

Periodic security audits became necessary to detect:

• Deprecated or vulnerable packages
• Unsecured API endpoints
• Inconsistent security policies across services

These audits were traditionally expensive and time-consuming. Depending on the scope of the system being reviewed, the process could cost up to $40,000 per audit and require days or even weeks of manual work.

In late 2025, we decided to test whether Diana, our AI engineering assistant, could dramatically reduce the cost and time required for these audits.

The Initial System

The client's infrastructure consisted of multiple .NET applications deployed across several servers. Each service exposed APIs documented through OpenAPI specifications, and all code repositories were hosted on GitHub.

Because multiple vendors contributed to the ecosystem, there was no single unified process to guarantee that:

• Dependencies were always up to date
• Endpoints followed the same authentication policies
• Security best practices were consistently enforced

Traditional audits required engineers to manually inspect repositories, cross-reference dependency versions with vulnerability databases, and manually test API endpoints to verify authentication requirements.

Even for experienced teams, this work typically required three to seven days of engineering time.

The Diana Experiment

In December, using Diana v4, we conducted an internal experiment.

First, we connected all GitHub repositories developed by Xipe to Diana. Using curated prompts and trusted security sources such as OWASP, we instructed Diana to analyze the repositories and identify outdated packages and potential vulnerabilities.

The result was immediate.

What previously required three business days of manual analysis was completed in minutes. Diana identified multiple deprecated packages across services and generated a structured report detailing what needed to be updated.

But the more interesting result came from the second part of the experiment.

Detecting Unsecured Endpoints

One of the most difficult tasks during security audits is verifying that all API endpoints enforce the correct authentication and authorization policies.

To automate this process, we deployed Diana CLI inside the client's network environment.

The CLI was given:

• The internal IP addresses of all application servers
• The OpenAPI JSON specifications for each service

Diana then attempted to consume every endpoint defined in the specifications, automatically testing whether the endpoint was accessible without proper authentication.

The results were surprising.

In a matter of hours, Diana generated a report identifying endpoints that were accessible when they should not have been.

These endpoints had not been detected in previous external audits.

Previously, running these kinds of endpoint validation tests required at least seven days of engineering work. With Diana, the same process completed in a few hours.

From Experiment to Contract

After demonstrating the results, the client decided to formalize the process.

Instead of running large, expensive periodic audits, the company signed a $5,000 monthly agreement that enables a trained engineer from Xipe to operate Diana within the client's infrastructure.

This model allows the company to run continuous security reviews, dramatically reducing risk while lowering overall costs.

Rather than waiting months between audits, the system can now be inspected regularly.

Diana in the Development Workflow

Beyond security auditing, Diana is now also used directly by developers.

Engineers run Diana locally during development to review code before it is submitted. Code changes are then delivered through GitHub, where the client's internal IT department performs final validation and deployment.

We are currently working toward the next step: enabling Diana to safely propose or implement direct code improvements while maintaining the strict security policies required by the client's infrastructure.

Results

The introduction of Diana fundamentally changed how the company approaches software security and maintenance.

Tasks that previously required multiple engineers and weeks of effort can now be completed in minutes or hours.

More importantly, the process is now continuous rather than episodic, allowing vulnerabilities to be detected much earlier.

For organizations managing complex software ecosystems with multiple vendors and legacy systems, this shift represents a significant improvement in both security posture and operational efficiency.