For many SaaS companies, responsibility for an application’s security is shifting to the application teams themselves, and HubSpot is no exception. HubSpot has always engaged with penetration testers from external security firms—in addition to security researchers via our bug bounty program—and will continue to do so. These external engagements do provide real value in terms of independent testing and verification, but there are advantages to Engineering taking direct responsibility for a portion of security testing as well. With external testers, HubSpot engineers have to spend time providing the right context, setting up access, and helping to troubleshoot through the engagement. With thousands of deploys daily, we need the freedom and flexibility to tackle high value changes without a ton of overhead.