Use Cases

What Qontego does for your team

From PR reviews to vulnerability triage to ad-hoc security questions — see exactly how Qontego embeds into your workflow.

Use Case 1 — Code Review

Security-Aware PR Review

Qontego reviews every PR on your monitored repos. It doesn't just scan for patterns — it reasons about your specific service, references past incidents, and only comments when it has something genuinely valuable to say.

  • Inline comments with issue description, impact, and suggested fix
  • References relevant past vulnerabilities and incidents
  • Suggests test cases for security-sensitive changes
  • Regression detection: catches re-introduced vulnerability patterns

<120s

Median time from PR open to first security comment

payment-servicePR #482
@@ -40,6 +40,8 @@ export class TokenHandler {
41 const token = req.headers.authorization;
42- const decoded = jwt.verify(token, SECRET);
42+ const decoded = jwt.verify(token, SECRET, {
43+ algorithms: ['RS256'],
44+ });
Q
Qontegosecurity review

Good fix pinning to RS256. But iss and aud claims are still unchecked. This was the root cause of INC-2024-031.

Medium severityReferences: CVE-2024-0847Confidence: 94%
Use Case 2 — Vulnerability Triage

Automated Scan Triage

Your CI pipeline produces findings. Qontego ingests them, clusters duplicates, flags false positives, proposes priority, and suggests owners — cutting manual triage time by 50% or more.

  • Deduplicates and clusters related findings automatically
  • Marks likely false positives with justification
  • Assigns priority (P1–P4) based on service context and business risk
  • Suggests owners and fix direction for each confirmed finding

50%+

Reduction in manual triage time

Scan Triage — payment-service12 findings → 5 after dedup
P1SQL Injection in /api/usersConfirmed
P3Missing rate limit on /auth/tokenTriaged
P4Unused dependency CVE-2024-1234False positive
P2SSRF via webhook URL parameterConfirmed
P4XSS in admin panel (CSP blocks)Low risk
Q
Qontego — 1 false positive removed, 2 duplicates merged. Suggested owners assigned.
Use Case 3 — @-Mention Q&A

Ask Your Security Engineer

Developers @-mention Qontego in Slack, PRs, or issue threads. It responds using your service context, codebase, and known issues — like having a senior AppSec engineer available 24/7.

  • Answers reference specific code, modules, and past issues
  • Threat model a feature on demand: "@qontego threat model this flow"
  • Look up past vulnerabilities: "@qontego any known issues with JWT in this service?"
  • Get security guidance in your planning discussions

24/7

Security expertise available in your existing tools

#eng-security
JK
James K.2:14 PM

@qontego is this use of JWT okay for our auth service? We're using HS256 with a shared secret.

Q
Qontegoapp

For your auth service, I'd recommend switching to RS256. Here's why:

1. Your service handles PII (flagged in your service description) and has PCI scope.
2. HS256 with a shared secret means any service that can verify tokens can also forge them.
3. You had a related incident in January (INC-2024-031) — algorithm confusion attack.

I can draft a migration plan if that's helpful.

Use Case 4 — Institutional Knowledge

Service-Level Security Memory

Qontego maintains a persistent, queryable memory for each service: past vulnerabilities, remediations, architectural decisions, and security policies. Knowledge that never walks out the door.

  • Tracks known vulnerability patterns and successful remediations
  • Maps findings to files, modules, and services
  • Stores custom security policies in natural language
  • Links incidents, CVEs, and triage decisions into a connected graph

47+

Memory entries per service, growing with every interaction

Service Memory — payment-service47 entries
Vuln Pattern
SQL injection via string interpolation in query builder
Remediation
Parameterized queries + input validation for all DB calls
Architecture
API gateway → auth service → payment service → DB
Policy
All public APIs must enforce rate limiting
Incident
INC-2024-031: JWT algorithm confusion in token handler
Use Case 5 — Confidential Questions

Private Q&A Mode

Not every security question should be asked in a public channel. Developers can DM Qontego privately for confidential questions without fear of looking uninformed.

  • DM the bot in Slack for private security guidance
  • Same service context and knowledge as public channels
  • No judgment — encourages developers to ask instead of guessing
  • Reduces shadow security decisions made without expert input

100%

Private — questions never shared or visible to others

Direct Message — QontegoPrivate
AL
Alex L.

Hey, I'm not sure if this endpoint I'm building needs CSRF protection. It's an API endpoint called from our mobile app. I don't want to ask in the public channel...

Q
Qontego

Good question — and no judgment here. For API-only endpoints called from native mobile apps with token-based auth (which your service uses), CSRF protection isn't needed. CSRF targets cookie-based auth in browsers. Your endpoint is fine. If you later add a web client, we should revisit.

Use Case 6 — Continuous Improvement

Learning From Feedback

Every thumbs up, correction, and triage override makes Qontego sharper. It learns your team's risk tolerance, your service's quirks, and which patterns matter most to your specific context.

  • Thumbs up/down on PR comments and Q&A answers
  • Triage corrections feed back into priority calibration
  • Explicit teachings via Slack: "that's wrong because..."
  • Tracks developer security maturity over time (post-v1)

↑12%

Monthly improvement in comment acceptance rate

Feedback & Learning — payment-service
87%
PR Comments
acceptance rate
92%
Triage Accuracy
correct classification
94%
Q&A Helpful
positive ratings
Q

Correction: "This isn't XSS, the output is already escaped by React"

Learned: React auto-escapes JSX

Q

Thumbs up on CORS config review

Reinforced: Origin validation patterns

Ready to see it in action?

Book a 30-minute walkthrough with the founder.

Book a walkthrough