In a previous blog post, we explored how AI Assistant in Adobe Experience Platform is monitored and improved via an end-to-end evaluation framework, including how we track, categorize, and learn from errors in real-world usage.

This sequel expands on those ideas to address the challenges that arise when AI Assistant encounters much larger, more varied user traffic, as detailed in our research paper, Evaluation and Incident Prevention in an Enterprise AI Assistant. We are thrilled to share that this latest work recently earned the prestigious DSRI AI Incidents and Best Practices Paper Award at the 39th Annual AAAI Conference on Artificial Intelligence. This recognition is a testament to our team’s commitment and engineering excellence in building enterprise-grade AI solutions that stand up to real-world complexity.

Smarter annotation through coreset sampling

When we first launched AI Assistant, we attempted to label nearly every question to identify opportunities to improve. That became unsustainable as our customer base grew drastically, with users asking thousands of questions each month. We needed a way to preserve a complete picture of system performance without having to triple or quadruple our annotation staff.

Our answer: coreset-based sampling.

In simple terms, each query and its corresponding answer is embedded into a high-dimensional vector space. From there, we pick a “coreset” (or minimal subset) of queries that collectively cover the major patterns and edge cases in the data. Coreset sampling makes one important assumption — that the error rate we are interested in is a linear function of a (learnable) embedding. With this assumption, finding a minimal representative sample becomes a weighted discrepancy minimization problem. This means that we must find the minimal set of data points whose embedding vectors best approximate the “average” embedding of the dataset.

We solve this problem by applying an algorithm called Greedy Iterative Geodesic Ascent (GIGA). GIGA essentially looks at how well each additional data point covers unexplored regions of the embedding space. By iteratively adding the “most unique” query each round, GIGA ensures we capture all major user behaviors and tricky corner cases, but without an explosion in labeling costs.

By comparing root mean squared error (RMSE) and other discrepancy metrics, we saw that coreset sampling outperforms random sampling. While a random sample might miss corner cases or over-represent redundant queries, coreset sampling selects fewer, more informative examples. This has freed us to devote expert annotator time to truly novel or complicated query/answer pairs.

As a result, even with thousands of questions flowing in every month, we can discover critical issues quickly without missing rare but high-impact problems. This keeps AI Assistant’s performance consistent and avoids forcing customers to uncover obscure failures on their own. At the same time, annotation becomes more scalable, freeing resources for developing new features rather than drowning in labeling tasks.

Hunting down failures with adversarial testing

Enterprise users benefit from fewer surprises and higher reliability in our system. By proactively uncovering worst-case scenarios before anyone else, we protect customers from encountering these blind spots in day-to-day use.

Human annotation is crucial for broad monitoring, but there’s a second technique that has proven invaluable: adversarial testing. Instead of waiting for real users to stumble on subtle failures, we invite internal domain experts — people with specialized knowledge — to intentionally “break” AI Assistant. They craft questions designed to push every known weak spot: tricky domain jargon, contradictory instructions, or references to extremely specialized documentation.

Because experts pinpoint the root cause right away, we know if a mishap arises from a missing data source, a misconfigured retrieval pipeline, or a language model hallucination. That insight is fed directly back into engineering sprints and data improvements, so each high-risk bug can be addressed at the source.

Preventing Regressions with Shared Evaluation Datasets

We’re constantly rolling out new features and capabilities — sometimes every other week — to meet diverse customer needs. Multiple teams handle different components, and this level of rapid development can raise the risk of “feature regressions,” where one improvement inadvertently disrupts another function.

Our latest approach is shared evaluation datasets. At regular intervals (once a quarter), we gather and annotate a new batch of real production queries. This batch is then “locked in,” split into a development set (for component development or testing new ideas) and a holdout set that’s used strictly for final evaluations. If a team wants to introduce a change, they must show that the new code produces at least as good results on the holdout set as the current production baseline.

Closing thoughts

We maintain a holistic view of interactions by monitoring how quickly users recover from mistakes, whether they receive clear explanations, and how effectively they complete their intended tasks. This bigger-picture lens drives user interface refinements and better conversation flows, ensuring the AI Assistant remains straightforward and transparent rather than misleading users with confident but incorrect answers.

Scaling up an AI Assistant is not just about spinning bigger servers or using more advanced models. It requires strategic, precise methods for monitoring and continuous improvement. We anticipate evolving these processes further as we tackle emerging challenges, like domain-specific compliance requirements and more advanced multimodal questions. Stay tuned for future updates where we dive deeper into how these evaluation and testing strategies equip AI Assistant to remain at the cutting edge of enterprise reliability.

Authors: Akash V. Maharaj, David Arbour, Daniel Lee, Uttaran Bhattacharya, Anup Rao, Austin Zane, Avi Feller, Kun Qian, and Yunyao Li

Namita Krishnan, Rini Iyju, Guang-jie Ren, and Huong Vu also contributed to this article.

Raising the Bar for AI Assistant in Adobe Experience Platform was originally published in Adobe Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Problems

Enterprise users often face significant friction when trying to extract insights from their data. Conversational AI assistants, as illustrated in the figure below, promise to simplify this process, but delivering a reliable, precision-oriented enterprise-grade solution comes with unique challenges: fragmented data sources, evolving customer needs, and the risk of AI-generated errors that erode user trust.

As we delved deeper into this project, we encountered a critical question: How do we effectively evaluate and improve an AI assistant that’s constantly evolving in a dynamic enterprise environment? This challenge is far from trivial. Enterprise AI assistants deal with sensitive customer data, need to adapt to shifting user bases, and must balance complex metrics while maintaining privacy and security. Traditional evaluation methods fall short in this context, often providing incomplete or misleading feedback.

Our Approach

To address these issues, we’ve developed a novel framework for evaluation and continual improvement. At its core is the observation that “not all errors are the same”. We have adopted a “severity-based” error taxonomy that aligns our metrics with real user experiences (see the table below):

• Severity 0 errors: These are the most insidious — answers that look correct but are wrong, potentially eroding user trust.
• Severity 1 errors: Incorrect answers that users can’t recover from, leading to frustration.
• Severity 2 errors: Errors that users can overcome through rephrasing, causing minor annoyance.

This taxonomy allows us to prioritize improvements that have the most significant impact on user experience and trust. It’s part of a comprehensive approach that includes:

• Prioritizing metrics directly impacted by production changes
• Efficient allocation of human evaluators
• Collection of both end-to-end and component-wise metrics
• System-wide improvements across all components

The impact of this framework on our customers has been substantial. By focusing on severity-based errors, we’re delivering more reliable and trustworthy AI assistance. Our human-centered approach ensures that improvements align with real user needs and pain points, as illustrated in the table below.

What’s Next

We’re just getting started. Our focus now is on making AI Assistant in Adobe Experience Platform even more proactive, meeting the users in their natural workflow and expanding coverage. We’re also improving our evaluation framework along a few key dimensions:

1. Adding proactive evaluations over samples that are representative of production queries. This allows us to forecast the impact of new features and improvements on error rates.

2. Formalizing error-severity definitions by breaking down the subjective determinations into a series of less-subjective questions that a human annotator must answer. This has helped to improve the consistency of these error severity determinations.

3. Scaling evaluation with “LLM-as-judge” annotations– this is an extremely active area of research, and we are actively working on incorporating these methods, especially for tasks that do not require domain expertise to annotate.

To learn more about our work and the impact we’re seeing, read the full paper here and follow Adobe Experience Cloud on LinkedIn for updates on our latest innovations.

Start using AI Assistant in Adobe Experience Platform today and supercharge the productivity of your marketing teams. AI Assistant is now available in Real-Time CDP, Journey Optimizer, and Customer Journey Analytics! For more details on getting access, visit the Access AI Assistant in Experience Platform page.

Authors

Akash V. Maharaj, Kun Qian, Uttaran Bhattacharya, Sally Fang, Horia Galatanu, Manas Garg, Rachel Hanessian, Nishant Kapoor, Ken Russell, Shivakumar Vaithyanathan, and Yunyao Li

Guang-jie Ren, Huong Vu, and Namita Krishnan also contributed to this article.

AI Assistant in Adobe Experience Platform: Evaluation and Continual Improvement was originally published in Adobe Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Hello, Medium Community!

We’re excited to announce that we are migrating our security blog to the Adobe Security Blog. To stay updated on the latest news, insights, and updates from the Adobe Security team, please make sure to bookmark our new home on the Adobe Security Blog.

We’d also love to hear from you! If you have any feedback or suggestions about our security content, feel free to share your thoughts via our blog survey.

This will be our final post on Medium, so we hope to see you over at the Adobe Security Blog soon.

Thank you for your support!

Security Blog Posts Are Moving to the New Adobe Security Blog was originally published in Adobe Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

The storefront has evolved dramatically over the past decade. From mobile-first to offline-first design to social media integrations and headless omnichannel experiences, businesses have faced challenges in efficiency, scalability, and ever-changing customer expectations. Traditional storefront solutions, often constrained by monolithic architectures rapidly becoming outdated, have faced challenges in keeping up with modern demands.

Once considered cutting-edge, single-page applications (SPAs) have fallen short with high adoption costs and a fragmented developer experience of gluing different tech stacks between content management systems and commerce platforms.

Hello, composable storefront

Developers like me live our day-to-day saturated with buzzwords and cheesy marketing phrases. We all roll our eyes at them. I know I do. But then, one day, you find yourself writing about “composable storefront.” Granted, the term can be considered another vague, trendy term for those unfamiliar. However, it also represents a shift in how e-commerce storefronts are designed and delivered. It advocates for reusable, interchangeable building blocks to create custom solutions. Their principles are rooted in practical architectural choices like micro-frontends, API-first design, and headless commerce.

Adobe Commerce drop-in components are full-featured, domain-specific shopping components designed for seamless integrations through predictable APIs. They include functional user interfaces for pages such as product details, shopping carts, checkout flows, user authentication, user accounts, and more.

Drop-in components are released as modular JavaScript libraries via NPM following semantic versioning to ensure compatibility and stability. They are web framework agnostic and can be integrated into any website using standard JavaScript and CSS.

Long live the content

“Content is King”. It was true in 1996 when Bill Gates coined the term, and it’s still true today. In graphic design, content-first design prioritizes content when structuring and designing a website or application. Instead of shaping content around a pre-existing design, the design is created to support the content–you will rarely find conversion rate success in a storefront using a cookie-cutter design template selected at random. Businesses must understand their identity and build a tailored storefront that tells a story aligned with their brand and market perception. To make this possible, content must determine the technology and features, not vice versa.

The document-based authoring of AEM with Edge Delivery Services goes beyond conventional content management by putting content at the center of the development cycle. A content block-driven approach in Edge Delivery Services provides content authors with a CMS that gets out of the way by removing complexities, empowering authors to create and deliver performant and personalized web pages to their users.

• Edge Delivery Services simplifies development by using vanilla JavaScript for customizations and integrations, eliminating the need for specialized frameworks or tooling, lowering the barrier for developers to contribute, reducing dependencies, and streamlining maintenance over time.
• Content velocity is critical for businesses aiming to stay relevant and deliver dynamic user experiences. Document-based authoring plays nice with SharePoint and Google Drive documents, providing rapid content creation, editing, and deployment tools. Its intuitive interface allows content authors to focus on crafting engaging experiences without relying heavily on technical teams, fostering greater collaboration between marketers and developers. Additionally, content from Edge Delivery Services is reusable across channels and can be delivered as HTML, Markdown, or JSON files.
• AEM with Edge Delivery Services prioritizes performance by optimizing content delivery. It ensures faster page loads and seamless interactions, even for dynamic and personalized experiences. Its capabilities allow businesses to serve lightweight, highly optimized pages that rank better in search engines and deliver superior user experiences.

Boilerplate from zero to shoppable

To help developers hit the ground running, we built the Edge Delivery Services for Commerce Boilerplate. This comprehensive template focuses on function over form. It offers a pre-integrated and functional end-to-end storefront, allowing developers to run an unopinionated, plain-by-design storefront in minutes that they can use as ground zero for your project.

In e-commerce, storefronts are usually structured with core pages for the shopping experience. These pages support key actions in the shopping funnel, such as browsing products, managing the cart, and completing and following up on purchases. The Edge Delivery Services for Commerce Boilerplate is natively integrated with these core pages, where the author manages the sitemap, content, and page structure. Commerce Blocks are powered by Commerce drop-in components, enabling developers to meet their unique use cases by configuring and restructuring the composition layer as needed and even replacing specific containers with third-party or custom-built user interfaces.

The Boilerplate is composed of the following drop-ins:

Auth Drop-in Component

Handles secure user authentication, including sign-ups, log-ins, password resets, and log-outs. It integrates seamlessly across the storefront to support all authentication views.

PDP Drop-in Component

Powers the Product Details Page (PDP) by displaying comprehensive product details, such as descriptions, attributes, pricing, options, and images.

Cart Drop-in Component

Manages cart functionality, including viewing, updating, and merging carts. It supports mini-carts, pricing, estimated shipping/taxes, and order summaries. This drop-in integrates across multiple pages, including the PDP, Cart Page, and Checkout Page.

Checkout Drop-in Component

Streamlines the purchase process with customizable controls for billing, shipping, payment methods, and order placement, powering the Checkout Page for a smooth transaction flow.

Orders Drop-in Component

Provides post-purchase functionality such as order search, shipping status tracking, customer details, and returns. It integrates with Order Confirmation, Order Detail, and Guest Order Status Pages.

Account Drop-in Component

Delivers account management capabilities, including customer details, addresses, payment methods, and order histories. It integrates with Account Pages to create a unified user profile experience.

The composable architecture of Edge Delivery Services combined with Commerce Drop-in Components provides developers with a solid foundation for building storefronts that scale. Whether enhancing the product pages, refining the checkout process, or delivering a custom account experience, the Boilerplate provides the essential tools to create custom experiences.

Getting started

To get started with the Edge Delivery Services for Commerce Boilerplate, follow the steps in the official documentation.

Note: Adobe Commerce is highly customizable, with most customers using extensions. You can use the default Boilerplate’s Commerce environment as a playground. Still, to use your own Commerce instance, you must ensure all the necessary data is accessible via APIs for a headless integration. For more details about requirements, review the Discovery and Preparation Blueprint documentation.

Once you’ve set up the project, run npm install to install all dependencies, and npm dev to run your local development environment.

At this point, you should see your brand-new storefront loaded on your favorite web browser. Go on, click around, explore, and buy something nice. As you have probably noticed, I wasn’t kidding when I said the Boilerplate was unopinionated and plain. It’s supposed to be underwhelming at first sight. Here is where you step in to transform this simple, unopinionated template into a brilliant storefront.

Make it your own

E-commerce sites share common characteristics but have unique identities shaped by their brand and target audience. Designing a customizable, run-time multi-tenant micro-frontend solution that is upgradable over time was a complex challenge the Adobe Commerce team had to solve.

We addressed this by building the drop-in components around consistent design patterns, resulting in a predictable development experience: learn one, and you can work with them all.

These conventions prioritize flexibility, scalability, and ease of customization, facilitating developers to build unique experiences without starting from scratch. By leveraging modular layouts, reusable containers, extensible slots, and streamlined data communication through the event bus, drop-in components balance standardization and the freedom to create.

Look and feel

We designed every Commerce drop-in component using a standard base design system that consists of CSS tokens for colors, typography, spacing, shape styles, and a grid system.

Developers can customize the appearance of drop-in components by overriding or extending the built-in CSS classes. The DOM follows a consistent naming convention across all drop-in components, adhering to the block-element-modifier (BEM) methodology to enhance clarity, ensure predictability, and reduce the likelihood of style conflicts. Shared components used across multiple drop-in components (e.g., buttons, images) use the prefix “dropin,” following the format .dropin-<component>__element — modifier. On the other hand, drop-in-specific components are prefixed with the name of the drop-in component, such as .<dropin-name>-<component>__<element> — <modifier>. For example, the .dropin-button class applies styles to all buttons across the storefront, while the .auth-sign-in-form styles apply the sign-in form from the authentication drop-in component.

Restructuring layouts

In Edge Delivery Services, authors manage pages directly from the content source, including headings, images, videos, links, sections, and blocks. Blocks provide authors with pre-built, structured UI components, enabling them to design pages with sections that serve different functionalities — for example, heading blocks, hero blocks, product recommendation blocks, tiles blocks, etc.

We pre-integrated Commerce drop-in components into these blocks, which are readily available in the Boilerplate. For instance, in the Boilerplate environment, the PDP (Product Detail Page) is authored in products/default.docx and includes the following blocks:

1. Product Details
2. Content Enrichment
3. Product Recommendations

In the image above, each block (represented as a table) corresponds to a folder within the ./blocks/ directory, with folder names written in kebab-case (converting spaces and capitalization into lowercase and hyphens). For example, the “Product Details” block referenced in the table is in the ./blocks/product-details/ directory. Each block directory contains two required files matching its name:

• A CSS file for the block’s unique styles: ./blocks/product-details/product-details.css
• A JavaScript file that transforms the block’s markup into the necessary HTML structure: ./blocks/product-details/product-details.js

The Product Details block encapsulates the entire PDP layout. These layouts are fully composable, customizable, and styled based on their respective CSS and JavaScript files. If needed, developers can re-arrange and style all template sections and replace pre-built components with custom UI.

Containers

Drop-in components leverage Containers as modular UI views that structure sections within the layout. Each container delivers domain-specific Commerce functionality to the storefront, enabling flexible composition and customization. In the case of the PDP, there are Containers for each section of the layout, including the gallery, price, product description, configuration options, and more. This structure ensures that each section operates as an independent, composable unit while adhering to the overarching layout.

By breaking the layout into containers, developers can modify individual sections without affecting the design. For example, you can replace the gallery container with a custom image carousel or extend the product configuration container to include new options.

Customizing Containers with Slots

Developers can perform granular customizations to the layout using predefined slot extension points within drop-in containers. These slots provide API methods and, in some cases, extra context data to inject custom HTML elements into specific areas of the UI without rebuilding the entire UI.

For example, in the product details page (PDP) drop-in component, the ProductOption container includes a slot named Swatches. Developers can utilize this slot to add a “Size Chart” link below the product size options.

pdpRenderer.render(ProductOptions, {
  slots: {
    Swatches(ctx) {
      // get slot element for "size" attribute
      const size = ctx.getSlotElement('product-swatch - size');
      // add link to Sizes
      if (size) {
        // create link
        const link = document.createElement('a');
        link.textContent = 'Size Chart';
        // set link href to size chart page with product SKU
        link.href = `/size-chart?product=${ctx.data.sku}`;
        // append link go size
        size.appendChild(link);
      }
    },
  },
})($options);

In this script, the Swatches slot is accessed through its API, enabling the dynamic addition of a “Size Chart” link tailored to the product’s SKU. This approach empowers developers to enrich the user interface precisely where needed, offering additional functionality while maintaining a reusable and upgradable codebase.

Data synchronization across drop-in components

Drop-in components are micro-frontends housed in independent and interchangeable containers, but how do they communicate effectively? Creating a seamless user experience from modular components requires robust data synchronization. To ensure that all drop-in components, regardless of their specific functionality, remain synchronized with each other and the overall storefront, we created a centralized event bus that facilitates real-time communication and state management.

For instance, when a user selects an option on the PDP, an event containing the updated product data is emitted to the event bus. Other containers on the PDP that are subscribed to this event are automatically updated to reflect the new information. Similarly, when the user adds the product to their cart, the cart drop-in component instantly updates by subscribing to the relevant cart data event. Drop-in components are interconnected via the event bus by design, enabling developers to subscribe to these events and leverage data changes to create custom features and enhancements.

The case for server-side rendering

Delivering fast, accessible, high-quality content is non-negotiable in e-commerce. Although we build websites for humans, some web crawlers have limited support for client-side rendering, which can impact SEO and the discoverability of product pages.

Product Detail Pages (PDPs) in Edge Delivery Services for Commerce rely on folder-mapped pages — virtual pages created dynamically. A template page is used for all PDP paths requested, i.e., /products/* Essential metadata, including the title, description, keywords, OpenGraph tags, and JSON-LD product schema, is rendered server-side to ensure optimal compatibility with social media sharing while the rest of the page loads client-side for dynamic functionality.

To improve SEO and deliver pages faster to users, Edge Delivery Services employs a serverless function to monitor product updates in Catalog Service. When detecting changes on a product, this function triggers the Edge Delivery Services preview API, which generates a fresh, static HTML version of the product page using the “bring-your-own-markup” render service. This system ensures that templates align with your functionality needs. This hybrid approach ensures that pages are fast, up-to-date, and optimized for users and search engines.

The storefront journey has only just begun

We have reimagined what a modern e-commerce storefront can be, and the Edge Delivery Services for Commerce Boilerplate manifests this vision. It offers developers a streamlined, composable foundation to create high-performance storefronts while addressing the inefficiencies of traditional architectures and bridging the gaps between content management and the commerce platform.

We are just scratching the surface of what’s possible, unlocking a future where every storefront is as dynamic, scalable, and unique as the businesses it represents. Give it a try and join us in rethinking the modern storefront developer experience. Have questions or want to connect with others? Join our Discord channel and be part of the conversation.

Edge Delivery Services for Commerce: A New Storefront Has Dropped was originally published in Adobe Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Adobe’s DevSecOps team creates innovative solutions that seamlessly integrates application and infrastructure security into Agile and DevOps workflows. By embedding security into these solutions from the earliest stages of development, Adobe’s engineering teams can address security issues easier, faster, and at less expense before they reach production. Ensuring that Adobe bakes security into the DNA of its products at conception takes someone with a special interest in technology. It takes someone like Ammar Alim, senior manager of Adobe Security’s DevSecOps team whose passion for technology is rooted in a deep family history that has shaped his journey.

Join us as we take you Behind the Scenes (BTS) and introduce you to Ammar and how he puts his technology upbringing to work at Adobe.

Tell us about your career journey and background. What initially got you interested in cybersecurity?

My connection to technology wasn’t born from video games or childhood programming; To me, computers and technology have always been powerful tools for changing and improving lives. This understanding, passed down from my family experiences, has profoundly shaped my view of technology and has been a driving force in my career path.

My parents were born in villages along the Nile Valley, just south of the Great Pyramid of Giza. They were the first in their families to attend college where they met, breaking away from a long farming tradition that began in 3000 BC, according to historians. Most of my relatives still operate farms, but my parents took a different route, influenced by the opportunities that education and technology could provide.

My father moved to Saudi Arabia after college where he took a job with a foreign company that introduced him to computers. Eager to learn, he immersed himself in absorb everything he could, eventually buying a Commodore 64 — one of the first home computers available — and taught himself how to program in the C language. He soon began to believe in the importance of computer literacy skills for everyone, so he inspired my mother to learn about computers after she lost out on a job due to her lack of computer skills.

When my father passed away while I was still young, my mother needed to find work to support our family. At the time, women weren’t allowed to work in Saudi Arabia, and opportunities were limited for educated women in Egypt. However, my mother used her technology skills to communicate with international organizations and eventually secured a job with the United Nations.

Building upon my parents’ own experiences, I took a part-time tech job in my second year of college, which eventually turned into a full-time role after graduation. This job introduced me to a manager who played a pivotal role in shaping my career. He led the application security team, overseeing vulnerability management, penetration testing, and other key functions. As I attended staff meetings, I became increasingly fascinated by security as engineers shared updates on their security projects.

I became particularly interested in cloud security as our company was migrating to the cloud. It quickly became clear that securing cloud environments posed a significant challenge due to a shortage of expertise in the field. With the public cloud on the horizon, I saw an opportunity to enter an emerging field, contribute to the team, and advance my career.

At the time, I had no prior cloud experience, so I committed several months of studying to achieve AWS certifications and attended an AWS conference in Chicago to learn more. Shortly after, I officially joined the Cloud team and transitioned to working full-time on cloud security automation.

A year later, I had established myself as a cloud security engineer, and as demand for cloud security professionals surged in this rapidly growing field, I began receiving job offers. One offer stood out — a chance to move to Seattle and join a dedicated cloud security team, which I couldn’t pass up. It wasn’t just a dream job; it was the realization of a personal goal to live in Seattle, a city I had always been drawn to, both for its tech scene and its mountain climbing scene.

I later had the opportunity to lead Cloud & Infrastructure Security at Frame.io, a fast-growing post-production startup that offered immense growth and learning opportunities. After Adobe’s acquisition of Frame.io in 2021, my team eventually transitioned to leading DevSecOps at Adobe.

What do you enjoy most about your current role?

As the leader of Adobe’s DevSecOps team, I oversee a talented group of engineers focused on empowering product teams to ship “software, safer, sooner” — our DevSecOps motto — by creating seamless integrations that boost developer productivity.

Our team drives two key security initiatives. First, we leverage fuzz testing, a powerful security testing technique, to ensure Adobe applications, including flagship products like Photoshop, meet the highest security standards. Second, we provide Web Application Protection, using advanced tools such as cloud-native and next-gen web application firewalls to defend against emerging threats, including zero-day vulnerabilities. We also focus on enabling fast response to attacks like DDoS, making sure our products remain secure and reliable under attacks.

What I enjoy most about working with my team is tackling complex security challenges. I love seeing how the team grows with each project. There’s often a sense of confusion and anxiety at the start of a big project, but I’ve come to see it as a positive sign; it means we’re working on something important and challenging. Over time, I’ve watched the team transform rough ideas into well-developed solutions, experimenting, refining, and improving with each step.

As a manager, there’s nothing more satisfying than seeing my team overcome tough challenges, take risks, and push through difficult moments to complete a project. These experiences create strong bonds and a sense of unity, which makes the work even more fulfilling.

What is your favorite part about working at Adobe?

What I appreciate most about Adobe is the abundance of opportunities given to contribute to something greater and make a real difference in people’s lives through technology. As tech workers, we sometimes forget how much our work can impact real people’s lives, but then I think of someone like my neighbor– a photographer and a single mother of two. For her, Photoshop isn’t just a tool; it’s her livelihood. Working at Adobe, I support the technology that enables her and countless others to pursue their passions and provide for their families. Knowing that what we do directly helps people like her is what makes my work truly meaningful.

Adobe also prioritizes the well-being of its employees, consistently demonstrating care whether through crisis support, mental health resources, or flexible work options. This commitment fosters a culture where people feel valued, which is why I’m proud to work here.

What is one piece of advice you would give to someone interested in pursuing a career in cybersecurity?

I advise anyone getting into cloud security to build a solid foundation in IT basics like networking, infrastructure, and programming. You don’t need to be an expert in everything, but having a well-rounded understanding will help you adapt to new challenges. Versatility is critical in security because it lets you see the bigger picture and contribute more effectively.

Another piece of advice is to stay mindful of how your role fits into the broader context of business and society. It’s easy to get lost in the technical details, but stepping back to understand how your work impacts the company, the industry, and even society as whole will give you a valuable perspective. It helps you improve your work, connect to a larger purpose, and make a more meaningful impact.

Finally, what is one thing people would be surprised to know about you?

Growing up across three continents and speaking four languages, I’ve always been fascinated by different cultures. As a child, living in foreign countries often made me feel like I didn’t quite belong. To fit in, I often embraced local customs, including wearing traditional clothing. This began when I was three years old and living in Saudi Arabia. I didn’t fully understand the significance at that age, but I begged my parents to buy me a Ghutra (traditional white headscarf) and an agal (the black cord worn over it), wanting to wear what I saw around me.

What started as a way to fit in gradually evolved into something more meaningful. As I moved to different countries, my interest in traditional clothing grew into a deeper appreciation for the diverse cultures I experienced. Today, I have a collection of traditional garments from the places I’ve lived or visited, each one a reminder of those unique experiences and memories. Over time, this collection has come to symbolize my respect for the diversity of cultures that have shaped who I am.

This global perspective has also influenced how I work. Whether learning new technologies or navigating diverse team dynamics, adaptability and understanding different perspectives have become invaluable assets to me. With Adobe planning to open a new regional headquarters in Riyadh, Saudi Arabia in the next year, I’m thinking it may be time to pay a visit in the new office, proudly wearing a traditional Thobe…

What’s on Your Mind? We Want to Hear from You!

Your opinion matters to us. Help shape the future of our blog by sharing your ideas and preferences. Click the link below to take a quick survey and tell us what you’d like to read about next.

> Take the Security@Adobe Tech Blog Survey

Behind the Scenes with Ammar Alim, DevSecOps Leader was originally published in Adobe Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Adobe Express will soon enforce cross-origin isolation for Chromium-based browsers (including Chrome, Microsoft Edge, Opera, and others). This change may negatively impact your add-on’s functionality due to stricter rules enforced by the browser. You’ll want to ensure that any add-ons you’ve developed or are building now work in this new environment.

Note: We expect the enforcement of cross-origin isolation headers to begin around the end of 2024. We’ll provide an update here and in our documentation the moment we have a more certain date.

Update as of January 2025: We expect Adobe Express to begin enforcing the new cross-origin headers within the next month or so. Developers of impacted add-ons should submit new versions of their add-on by February 15, 2025 to ensure sufficient time for the review process to complete. Add-ons that fail to work after Adobe Express enforces these headers may be removed.

Impact

This change may impact your add-on’s access to external resources, especially if your add-on relies on iframes to display content or support payment flows. This could also impact add-ons that make fetch calls or display images from external sources. If your external source is not properly configured, users may see missing content or may encounter silent failures if your add-on can’t load a remote resource. Since this results in a poor experience, developers must ensure that their add-ons work in this new environment.

Currently, this change only impacts Chromium-based browsers (e.g., Chrome, Edge, Opera, etc.). This change also applies to add-ons running on Android devices if you’ve developed a mobile add-on. Firefox and Safari browsers are not impacted.

Note: This affects all add-ons even if they aren’t published in the add-on marketplace. This includes both private and internally distributed add-ons.

Types of Failures

Some failures will be more obvious than others, but all can negatively impact the user experience of your add-on.

• If a nested iframe fails to load, Chrome and Chromium-based browsers display a very obvious error message inside the iframe indicating that the domain “refused to connect”.
• If an image fails to load, you may notice missing images in your add-on’s user interface. You should also see failures in the Network section of the browser’s developer tools.
• If a network call fails due to JavaScript code, you should see warning and error messages in the browser’s developer tools.

Test your add-on

Until Adobe Express enables these headers by default, you can verify that your add-on will function correctly by applying local header overrides. We’ve provided full instructions on simulating these headers in our developer documentation.

What should you test?

While most add-ons are likely to be unaffected by this change, you should double-check any flows that access external content or embed resources from other domains in your add-on’s user interface. This includes purchase flows, loading external content in iframes, displaying assets from external domains, and adding content to the user’s document that originates from an external domain.

Check out the documentation for more detail.

Addressing issues found in your add-on

If you do encounter issues in your add-on related to cross-origin isolation, these are generally easy to address. You should check your add-on as soon as possible however—if you rely on a third-party service, you may have to do more work to address any cross-origin isolation issues.

Read our documentation for more detail on fixing issues.

Next Steps

You should review the documentation for complete details about cross-origin isolation which includes steps on setting up your local environment for testing. You should also keep an eye on the changelog as the documentation will be updated over time.

While we expect that the majority of add-ons are not impacted or affected, we are performing smoke tests for currently published add-ons to double-check. If we encounter any add-ons with failures, we’ll reach out to the developers of the affected add-ons. However, it is wise for all add-on developers to test their add-ons since they know their add-on inside and out.

All new add-ons published to the marketplace will be reviewed with these headers in place. If the reviewer finds a problem with your submission related to cross-origin isolation that impacts the usability of your add-on, the reviewer will reject your add-on.

If you have issues testing your add-on or addressing any issues relating to this change, don’t hesitate to let us know.

Important Cross-Origin Isolation Update for Adobe Express Add-on Developers was originally published in Adobe Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

In today’s evolving threat landscape, traditional reactive approaches to cybersecurity are no longer enough to protect organizations from sophisticated attacks. Threat hunting fills this gap with a proactive, methodical strategy for uncovering threats that evade automated defenses.

At the heart of effective threat hunting is hypothesis testing — the practice of developing informed assumptions about potential threats and systematically investigating them. A powerful tool in this process is the Proof of Concept (POC), which helps validate hypotheses, simulate attack scenarios, and refine detection mechanisms. By leveraging POCs, organizations can test their assumptions in controlled environments, enhancing their detection capabilities and mitigating potential threats.

In this blog, we’ll discuss how Adobe Security’s threat hunting team employs strategies such as hypothesis testing and POCs to strengthen our detection capabilities and proactively defend against evolving threats.

Defensive vs. Offensive Approaches in Threat Hunting

In threat hunting, there are two primary approaches: defensive and offensive.

Defensive Approach

In a defensive approach to threat hunting, proactive hunting plays a critical role. Rather than waiting for alerts or known incidents, threat hunters actively search their systems, networks, and logs for traces of malicious activity, with a goal of identifying Indicators of Compromise (IoCs) or Tactics, Techniques, and Procedures (TTPs) described in threat intelligence reports.

Additionally, threat hunters use behavioral patterns and anomalies from these reports to detect signs of advanced or stealthy threats that may bypass traditional signature-based detection systems. This proactive strategy enables hunters to identify latent threats that may exist within the environment without triggering automated alerts, ensuring a more comprehensive and preemptive defense against potential attacks.

Offensive Approach

In an offensive approach to threat hunting, the hunter takes on the mindset and tactics of an attacker to simulate real-world cyber threats. This involves using the same Tactics, Techniques, and Procedures (TTPs), as well as tools commonly employed by attackers. Threat hunters may also develop custom tools that don’t yet have detection signatures, enabling them to emulate more sophisticated or novel attacks.

By mimicking an attacker’s steps to target the organization’s internal infrastructure, threat hunters can generate valuable artifacts, such as logs or traces of malicious activity, which help security teams identify similar actions in the future and detect actual attacks early. This process also helps uncover gaps in existing detection systems or logging mechanisms, enabling teams to strengthen defenses and improve overall security monitoring.

Weighing these two approaches, Adobe’s threat hunting program integrates both strategies into a comprehensive framework. Traditional reactive defensive methods often fall short against modern adversaries, so we incorporated a range of offensive techniques during our testing phase that mimic the tactics a malicious actor might employ. This strategy allows us not only to validate hypotheses but also to produce the artifacts necessary for developing logic behind potential detection rules.

Understanding Hypothesis-Driven Threat Hunting

Threat hunting is often driven by hypotheses — educated guesses based on known attack patterns, anomalies, or intelligence that suggest the presence of a threat. Rather than waiting for threat alerts to trigger, threat hunters proactively search for indicators of compromise (IOCs) or suspicious activities within their networks. A hypothesis can stem from various sources, including recent threat intelligence reports, unusual network behavior, known vulnerabilities within the organization’s environment, or legitimate software that may be exploited for malicious purposes.

For instance, a hypothesis might suggest the presence of a specific type of malware targeting specific assets or data within a system. By leveraging such hypotheses, Adobe has not only identified novel techniques but also uncovered critical vulnerabilities that emerged during the testing process.

Why Proofs of Concept Are Essential

In the context of threat hunting, POC involves creating a controlled, often isolated environment to test a hypothesis by simulating a potential threat scenario, observing its behavior, and assessing whether it can be detected and mitigated. Running a POC allows threat hunters to transition from theoretical assumptions to concrete evidence, enabling them to refine their detection and response strategies.

This process offers several defensive advantages, including generating valuable indicators, validating existing detection rules, creating high-fidelity detection rules, identifying visibility gaps, and, in some cases, facilitating the capture of attackers.

POCs are essential in threat hunting for the following reasons:

• Validation of Hypotheses: POCs provide a structured way to test hypotheses, allowing organizations to verify whether a suspected threat is real or benign. This reduces the chances of false positives and helps to focus resources on real threats.
• Enhanced Detection Capabilities: POCs observe the behavior of a simulated threat in a testing environment, allowing threat hunters to refine their detection techniques by adjusting alert thresholds, fine-tuning detection rules, or developing new monitoring strategies.
• Risk Reduction: Organizations can observe potential threats in a controlled environment through POCs, allowing for safe experimentation with various scenarios and responses while minimizing risk to the broader network.
• Improved Incident Response: POCs provide insights during testing that directly inform incident response strategies, enabling organizations to understand how threats manifest and spread, which help drive more effective containment and remediation plans.
• Knowledge Transfer and Skill Development: POCs help upskill threat hunting teams by offering hands-on experience with real-world scenarios, improving their understanding of the nuances of threat detection and response.
• Tool Validation: POCs enable the evaluation of tools within the security stack and assess their capabilities.
• Visibility Gaps: POCs help identify instances where threat hunters may encounter gaps in log sources, logging capabilities, and coverage while implementing techniques to validate hypotheses.

Wrap Up

Integrating POCs into threat-hunting efforts is not just a best practice; it has become essential in today’s complex threat landscape. By validating hypotheses through meticulously designed assessments, POCs can enhance detection capabilities, minimize the risk of false positives, and strengthen an organization’s overall cybersecurity posture. As threats continue to evolve, the ability to test and refine our defenses through POCs will be a critical differentiator in staying ahead of potential attackers.

What’s on Your Mind? We Want to Hear from You!

Your opinion matters to us. Help shape the future of our blog by sharing your ideas and preferences. Click the link below to take a quick survey and tell us what you’d like to read about next.

> Take the Security@Adobe Tech Blog Survey

Proofs of Concept: A Proactive Approach for Hypothesis-Driven Threat Hunting was originally published in Adobe Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Unified eXtensibility Platform (UXP)

We recently released UXP v8.0 in Photoshop 2025 (v26) and InDesign v20.0 with key features mentioned below:

• Support for new Spectrum Web Components to provide a wholesome UI library that aligns with Adobe’s Design Language — Spectrum
• The much-awaited local HTML support for Webview. Webviews are particularly helpful for features that are not innately supported in UXP, such as animation, 3D APIs, etc. By allowing local HTML files, we are reducing the overhead of hosting the HTML files in a remote server and allowing you to provide complete functionality within the UXP plugin package.
• Enhancement to Video, HTMLElement, and HTMLForm APIs to match the web APIs.

Photoshop and InDesign have new DOM APIs, too.

This year, Photoshop did the following:

• Introduced the ability to record a function call inside a UXP plugin as an Action step.
• Allowed the access to Photoshop C++ SDK from UXP Hybrid Plugins.
• Added improvements to help avoid request collisions when using executeAsModal.

Discover more details about the APIs in Photoshop.

InDesign v20.0 includes the following:

• Capability to persist storage for plugin data to carry over plugin data from one version of InDesign to the next. By selecting the ‘Import Previous Settings and Preferences’ option during plugin installation, the users’s plugin data is preserved when upgrading to the newer version of InDesign.
• Support Flyout menu — Now you can invoke operations directly from the hamburger icon at the top right of your plugin panel, without taking up any real estate.
• Support for UXP GUID APIs.

Discover more details about the APIs in InDesign.

Adobe XD

As a reminder, please note that on November 15th, 2024, we will stop accepting new plugins for Adobe XD in our Marketplace. Existing published plugins can continue to be managed and updated via the Developer Distribution portal. The UXP Developer Tool (UDT) will continue to support plugin development. Visit the FAQs page for more details.

Premiere Pro and Adobe Media Encoder (AME) will be joining the UXP family very soon

UXP in Premiere Pro has been in a private beta phase for a few months now. If you need access to the pre-release, you can reach out to us at ppro-uxp-extensibility@adobe.com. The public beta is expected to launch in early December, allowing you to obtain the Premiere Pro beta and the latest version of UXP Developer Tool (UDT) from Creative Cloud Desktop app (CCD) to start creating UXP plugins.

AME will soon be onboarding with UXP. The private beta is tentatively scheduled for December, with general availability (GA) coinciding with the Premiere Pro release. For pre-release access, please reach out to us at ppro-uxp-extensibility@adobe.com for more information.

Upcoming Marketplace changes

To comply with the European Union Digital Services Act developers must provide additional information (e.g. phone number, email address, etc.) in their publisher profile in order to be shown to users in the European Union. If you choose not to provide this information, your listing won’t be visible or available in the Exchange or in our Creative Cloud Desktop app for users in the European Union beginning Feb 17, 2025. Please stay tuned for more information and details on how to update your information. We will give you plenty of notice before this change takes effect.

CEP

CEP 12 shipped with Photoshop 25.12, Premiere Pro 25.0, and After Effects 25.0. InDesign and Illustrator will come later. CEP 12 will be the last major update to CEP, although critical security issues will continue to be addressed. There are no new features planned further.

CEP 12 now supports a newer version of Chromium 99, updated v8 to 9.9.115, and updated the deprecated OpenGL APIs to Metal on Mac. Most plugins should continue to work as is, but please check for any irregularities. CEP 12 works with NodeJS 17.7.1, so some extensions built on older versions of NodeJS may need to be updated in order to continue to load. If you run into a critical issue, please post it in the forums or email ccintrev@adobe.com.

For more specifics, check the CEP Cookbook. Be sure to check the known issues and migration notes.

Subscribe to our Creative Cloud Developer Newsletter and join the Creative Cloud Desktop Office Hours (the next one is on November 21st) to stay up to date with the latest.

Updates for Creative Cloud Desktop Extensibility was originally published in Adobe Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

As the Adobe Red Team proactively helps strengthen the company’s overall security posture, we often find ourselves needing to develop new capabilities to emulate the growing number of increasingly complex adversarial attacks. Adversaries today are stepping up their attack work by using AI and we need to do the same to stay one step ahead.

Over the past year, we’ve been utilizing AI tools to assist us in scaling our activities effectively and efficiently, particularly as we develop capabilities for our Red Team operations. Using AI has allowed us to work smarter by building out new solutions more quickly — including malware, exploits, and our own custom C2 (Command and Control) systems — while enabling our team members to focus their valuable time on work where their unique expertise adds the most value. Conditions such as running processes and supported code languages can change dramatically between environments, and AI tools quickly provide working (or close-to-working) solutions that match the specific needs of the various situations we encounter.

In this blog, I will illustrate how we use AI in our Red Team operations to emulate adversaries more accurately in our efforts to stay ahead of their attacks.

Using AI to Beat AI-Enabled Attacks

As a Red Team, we must closely monitor the actions of real-world adversaries so we can align with their methods of attack. Our use of AI tooling factors into this knowledge and helps us in our efforts to stay ahead of these adversaries.

By rigorously testing the defenses of our own product teams with the help of AI, we aim to be better and faster at finding, exploiting, and subsequently defending the same targets that these adversaries are targeting. AI-fueled testing aids us in our mission to strengthen Adobe’s ability to withstand sophisticated attacks and protect our company and customer data.

AI Increases Red Team Efficiency

When we prepare and build prerequisite tools and artifacts for a specific test or measurement, we usually do it to support our operational objectives. Aside from delivering results to the company and helping guide security improvements, the Red Team produces much of its value when we conduct actual testing and generate traffic. The logs that result from these tests provide tangible progress towards our ongoing objectives. Freeing up cycles from the preparatory phases of a task enables Red Team engineers to invest more time and focus into executing crucial steps of our attack chains — the hands-on, keyboard functions — needed to reach objectives that directly correlate to Red Team recommendations.

AI also helps our engineers work smarter, not harder, by saving us dozens of hours of studying, learning, and practicing new coding languages during the first draft of tools and supplying code comments that explain the code’s functionality. Offering a low barrier to use, the Red Team then modifies and adjusts the tools to ensure they function the way we intended them to work.

The Adobe Red Team uses different AI tools to speed up our research and development in the following ways:

• Educating Our Operators: AI tools quickly summarize relevant blogs and articles to teach our operators about various adversaries and their objectives in a timely manner. For instance, after the release of an initial blog detailing an adversary’s recent actions, it’s common to see follow-up posts that provide additional insights and perspectives. AI enhances our ability to identify and digest these key insights and perspectives by gathering, synthesizing, and summarizing all relevant data, allowing our operators to analyze the information easily and probe deeper where needed.
• Building Tools: AI supports quicker and more efficient drafting of tools for different aspects of Red Team operations. This can include building scanning tools to use during reconnaissance, exploit tools to help us obtain initial access, and C2 modules to help us scale post-exploitation actions. Previously, having to review documentation and select the best function for a task slowed down our coding process. Now we can simply ask AI which built-in function to use or even have it write the function for us, which significantly speeds up development.
• Freeing Time and Resources: AI frees time for Red Team members to conduct more tests and reach our objectives quicker. For example, by reducing research time by 30 percent when analyzing adversary behavior, the Red Team can now repurpose that saved time to conduct an additional test. This increased efficiency enables us to yield more results in less time, while focusing on delivering our measurements rather than building capabilities, which ultimately drives greater impact across the company.

AI Enhances Red Team Efficiency

The Adobe Red Team has incorporated AI-generated tools into our operations, which allows us to spend more time executing and achieving effective results. With more time to invest in execution, we’re able to play out adversarial scenarios more realistically and generate traffic that more-closely resembles actual adversary behavior.

Spending less time on resource development also allows us to invest more in enhancing the quality of our presentations. We’ve been able to achieve this by gathering more feedback, reaching a broader range of stakeholders, and sharing security recommendations ahead of scheduled presentations so that relevant product and security teams arrive prepared with their own analysis and work already underway. These advances in communication and reporting have strengthened our influence across the company, driving further investment in security initiatives that help protect our customers.

More to Come

The benefits of integrating AI into Red Team operations are already evident. Our increased focus on execution and delivery of results has helped us improve the quality of both our testing and our reporting. Leveraging AI tools not only boosts our efficiency, but also enhances adaptability across diverse environments, while maintaining the relevance and impact of our efforts.

However, we’re only beginning to uncover the full potential of leveraging AI for Red Team success. As we continue to explore and integrate these tools into our operations, we anticipate even greater enhancements in effectiveness and innovation. Our AI journey is far from over and we’re looking forward to discovering new ways to drive further impact across the company.

What’s on Your Mind? We Want to Hear from You!

Your opinion matters to us. Help shape the future of our blog by sharing your ideas and preferences. Click the link below to take a quick survey and tell us what you’d like to read about next.

> Take the Security@Adobe Tech Blog Survey

AI-Powered Red Teaming: Keeping Pace with Our Adversaries was originally published in Adobe Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

In the Security industry, the manual processes that drive traditional threat modeling methods are increasingly inadequate for managing the growing scale and complexity of today’s products and services. Lack of scalability leaves gaps in security, undermines customer trust, and hinders the ability to track patterns and provide consistent guidance due to insufficient data collection. The advent of generative AI (GenAI) further exposes the limitations of manual methods as it opens the door to more sophisticated and harder-to-detect threats.

Adobe has an ongoing commitment to explore and adopt state-of-the-art capabilities as our business and security practices evolve. We recognize that as we continue to grow and scale as a company, simply relying on manual threat models would lead to significant bottlenecks. To address these challenges and improve our overall security posture, we transformed our threat modeling program by integrating GenAI capabilities.

Transforming Threat Modeling Using GenAI

By leveraging automation and AI-driven insights, Adobe Security’s new GenAI-based threat modeling platform transforms the threat modeling process throughout Adobe by addressing the scalability, sophistication, and data collection issues inherent in traditional manual threat modeling methods. It empowers Adobe product and engineering teams to create robust threat models with ease, while ensuring our teams have access to best practices and expert guidance necessary to protect our digital ecosystem.

Here are the benefits of leveraging automation and AI-driven insights as part of our threat modeling platform:

Simplifies the Security Process

GenAI analyzes workflow information from user-provided design documents, immediately identifies potential threats based on Adobe-specific context, and maps them to known weaknesses (Common Weakness Enumerations or CWEs) and common attack patterns (Common Attack Pattern Enumeration and Classifications or CAPEC IDs). This automation is a significant value addition for product teams because it allows them to focus on innovation without compromising security.

Provides Immediate, Actionable Feedback

The platform provides immediate, in-line, real-time feedback on detected threats and offers clear, specific, and actionable mitigation strategies based on security best practices, which empowers our product teams to remediate the risks before they can be exploited by adversaries and helps to implement security measures effectively and efficiently.

Gives Product Teams More Autonomy

We integrated security policies and best practice documentation directly into the platform to give teams the autonomy to manage the security of their products while being supported by expert guidance. To prevent over-reliance on AI, we established a protocol for critical reviews that require human involvement. In these scenarios, hands-on consultation with a security researcher includes manual threat modeling to help identify potential threats. This process ensures that complex and high-risk scenarios are thoroughly reviewed by human experts armed with AI-driven insights that they assess, assure, and action as part of their threat modeling capabilities.

Improves Collaboration and Visibility

The platform includes a user-friendly, self-service interface that acts as the centralized hub for all threat modeling activities. Product teams can create and share threat models within their team, enhancing collaboration. Since the threat model is a living document, it can be updated as the application evolves. Product teams can initiate updates whenever new features, infrastructure changes, or libraries are introduced. Teams also have the flexibility to determine how frequently they update the threat model. All threat models are stored in a central repository, enabling us to identify recurring patterns and develop targeted security solutions helping improve protection across all Adobe products and services.

Enhancing Security Posture and Developer Productivity

Since deploying the automated GenAI-based threat modeling platform, we’ve detected over 400 actionable threats, providing product teams with clear mitigation strategies to promptly address these vulnerabilities. The result is an enhanced security posture and reduced potential risk for Adobe.

In addition, this new user-friendly interface has led to a 160 percent increase in productivity and efficiency across our user interface (UI) each month. Additionally, this streamlined process means that 80 percent of all threat models are now created in under 30 minutes, allowing our teams to focus more on innovation and less on the intricacies of threat modeling.

Overall, Adobe Security’s GenAI-based threat modeling platform has empowered our product and engineering teams to be more proactive and efficient in addressing security threats, benefiting not only Adobe, but ultimately our customers and partners by improving the security of our digital ecosystem. As we look ahead, our focus remains on advancing the platform with AI-driven capabilities, integrating deeper security insights throughout the development process, and continuously exploring new ways to anticipate and mitigate evolving threats in real time.

What’s on Your Mind? We Want to Hear from You!

Your opinion matters to us. Help shape the future of our blog by sharing your ideas and preferences. Click the link below to take a quick survey and tell us what you’d like to read about next.

> Take the Security@Adobe Tech Blog Survey

Scaling Your Threat Modeling Program using GenAI was originally published in Adobe Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.