The situation
The company — whose software runs payroll and HR for a large share of the economy — was facing serious software reliability issues. Incidents were too frequent, and recovery too slow, for products businesses depend on to pay their people.
Classroom training would not move the needle. The practices had to be adopted inside live delivery, by the teams shipping production code.
What we did
- 01Ran a DevSecOps modernization program across all major development pods, working with several teams in parallel.
- 02Used a one-sprint live-adoption model: coaches embedded with each pod for a sprint, adopting the practices in real work rather than in workshops.
- 03Instilled Google SRE best practices for reliability, incident management, and operational discipline.
- 04Introduced threat modeling and security-design practice grounded in the STRIDE framework and OWASP guidelines.
- 05Built out an advanced CI/CD pipeline — SAST, DAST, code-quality scanners, and PR review discipline — to shift security and quality left.
- 06Helped stand up an innersource model, and supported senior-talent attraction — including new San Francisco and New York offices as hiring hubs.
The outcome
- Significant reduction in incidents and improved MTTR across the portfolio.
- P1 incident calls now run with discipline under named incident commanders.
- Proactive security and bug remediation through the hardened CI/CD pipeline.
- The innersource model spawned strong internal CI/CD and cloud tooling — and a thriving developer and architect community.
- Senior roles filled with top talent, anchored by the new coastal engineering hubs.
Engagement delivered by Avirso leadership during their tenure at a global management consultancy, prior to founding Avirso.