Industry: Healthcare and Healthtech
Organization: WELL Health Technologies
Security Leader: Iain Paterson, CISO
Product: Terra Security Continuous Pentesting
Background
WELL Health Technologies is a healthcare technology company operating across clinics and digital health services, where application security and reliability are tightly coupled with patient trust and regulatory expectations.
Before joining WELL Health as CISO, Iain Paterson was the CEO of Cycura, a penetration testing and security services firm that was later acquired by WELL Health and integrated into the organization. As a result, WELL entered this partnership with an unusually mature security posture, including deep in-house offensive security expertise and a strong understanding of traditional penetration testing programs.
This background provides critical context. The challenge WELL faced was not a lack of security knowledge or testing rigor, but the difficulty of scaling coverage and prioritization as the attack surface continued to grow.
The Problem: Point-in-Time Testing and Prioritization Drag
Even in mature programs, two application security realities create ongoing pressure:
- Coverage gaps between tests: Traditional penetration testing is periodic by nature. As applications, APIs, and releases change, the security posture can drift quickly between assessment windows.
- Triage fatigue: Many tools generate high volumes of findings, but do not consistently answer the question engineering teams care about most: “Is this actually exploitable and likely to matter to the business?”
Iain describes the challenge directly saying, “Application security alerts in particular are hard to determine true criticality vs. noise in most tools.”
Why Terra Security Entered the Program
WELL partnered with Terra Security to extend application testing beyond quarterly cycles, with the goal of increasing coverage and improving confidence in what deserved immediate engineering attention.
As Iain summarizes the outcome, “Terra has 10X our web attack surface coverage. We went from quarterly pentests to 100% coverage within the same budget,” says Iain Paterson, CISO at WELL Health.
Moving From More Findings to More Certainty
A central theme in Iain’s feedback is that application risk management breaks down when teams cannot distinguish theoretical exposure from verified impact, especially in business-logic heavy applications.
“A solution like Terra which produces verified, exploitable, business logic driven outputs enables development teams to focus their efforts and time fixing real meaningful vulnerabilities, the truly critical things that could really disrupt or hurt the business,” says Iain Paterson.
From a program standpoint, this framing supports a healthier operating rhythm between security and engineering: fewer debates over severity, faster remediation on what matters, and clearer reporting to leadership.
A Security Leader’s Point of View on Where AppSec Is Headed
Iain’s view is less about “more scanning” and more about reliability of truth signals:
“The future of application risk management isn’t more visibility, it’s more truth. Appsec programs succeed when organizations can distinguish noise from impact. Continuous exploit validation provides the missing layer of certainty that security and engineering teams need,” says Iain Paterson.
Results Highlighted by WELL Health
- 10X web attack surface coverage (per customer statement)
- Shift from quarterly pentests to continuous coverage (per customer statement)
- Achieved within the same budget (per customer statement)
- Improved engineering focus through verified, exploitable, business-logic driven outputs (per customer statement)
Takeaway
WELL Health’s approach reflects an evolution many security teams are pursuing: keeping the rigor of offensive security practices while adding continuous validation so risk decisions are based on exploitability and business impact, not volume of alerts.
Continue reading
Be the first to experience the future of security.
Secure your spot by leaving your email
