How EDB saves 200+ hours per release with echo

Meet EDB

EDB (EnterpriseDB) is a global leader in database technology, providing enterprise-class PostgreSQL solutions that power mission-critical applications for customers worldwide. With over [X number of] services and teams spanning multiple regions, EDB’s complex platform requires close coordination and strong governance to maintain both agility and security.

The vulnerability challenge

As EDB’s platform has scaled, so too has the complexity of its security operations. The company’s growing number of containers, which today is nearly one hundred across multiple teams, created significant operational challenges. Every two weeks, a multi-person team spent days triaging vulnerabilities, reaching out to dependency owners, and determining exploitability, just to identify which CVEs truly mattered.

Security had become a massive bottleneck. “We were spending hours and hours of engineering time planning for vulnerabilities, instead of securing the applications themselves,” said Dan Garcia, CISO at EDB. Customers scanning their images introduced further friction, pulling in support teams and engineers to manage issues that often could only be resolved in the next release.

Because EDB’s product is deployed across customer environments, the team has to support multiple different scanners, such as Trivy, Grype, Wiz, and Orca, which each have a different approach to vulnerability reporting. This fragmentation made it nearly impossible to achieve a single source of truth, with DevOps and security teams spending around 50 hours per month reconciling discrepancies, validating findings, and trying to determine which vulnerabilities actually required action.

The tipping point, however, came as EDB prepared its FedRAMP build: a unified, compliance-driven effort that consolidated all container images into one view. The result? A spreadsheet with over 18,000 vulnerability rows. It was a single moment that revealed just how unsustainable a manual approach would be, which underscored the undeniable need for a new strategy.

The echo solution

“It started with FIPS,” Dan said. “We realized trying to manage it manually simply wouldn’t be sustainable. And the other options in the market had significant issues that we weren’t willing to compromise on.” What began as a compliance-driven evaluation quickly evolved into a broader solution for container vulnerabilities as a whole.

echo’s secure-by-design base images fit seamlessly into EDB’s existing workflows, eliminating the need for manual triage while ensuring FIPS compatibility and full container coverage. “Ease of implementation, transparency, and trust – that’s what set echo apart,” Dan shared. “Other providers were cagey, whereas Echo was honest with us from the start.”

By adopting echo, EDB effectively rebuilt its vulnerability management model around prevention rather than reaction — achieving a sustainable, scalable approach that freed up teams to focus on innovation. And echo’s integration with major scanners ensured the impact of this partnership would also be reflected to EDB’s customers.

Real results and impact

With echo, EDB’s once labor-intensive CVE management process has virtually disappeared. The three-person team that was previously dedicated to triage now focuses on high-impact work like threat modeling and feature security. Releases no longer require vulnerability grooming cycles, and engineers can ship code faster with full confidence in their container integrity.

As Dan put it, “Implementation was quiet — and that’s a really good thing.” echo’s images worked out of the box, without disrupting workflows or requiring retraining. “Security generally slows down… now we’re accelerating,” Dan said. Adoption has spread organically across teams, driven by engineers’ trust and enthusiasm.

Conclusion with testimonial quotes

echo helped EDB transform security from a drag on development to a catalyst for efficiency. “It felt like echo was the solution we had all been waiting for,” Dan reflected. Even the most skeptical engineers — “the ones who complain about everything,” as Dan joked — have praised echo’s results. The shift has been both cultural and operational: fewer distractions, fewer customer escalations, and faster, safer releases. “Our engineering director actually just reached out to thank me and tell me he truly believes implementing echo has improved team morale. I’ve never gotten that one before.”

Dan summarized it best: “Why try to manage CVEs internally when you don’t have to? echo gives you a more secure outcome, saves millions each year in operational costs, and lets your teams focus on development that really drives impact.”