RuStore deployed AI in information security: how VK automates task review, code review, and DAST testing

RuStore has demonstrated a pragmatic approach to using AI in information security: not for a flashy showcase nor to replace specialists, but to unload the most repetitive stages of work within the release cycle. The security team automated three areas where engineers most often spend time on basic review and filtering: initial processing of Security Check tasks, review of changes in merge requests, and dynamic application testing. The logic is straightforward: if the machine can quickly gather context, highlight typical risks, and filter out obvious issues, humans have more resources left for genuinely complex solutions, borderline cases, and deep architectural analysis.

This represents an important shift in the approach to applied security. In product development, security has long consisted of more than rare critical incidents and hunts for sophisticated attacks. The bulk of the workload is constant operations: you need to read task descriptions, see what exactly changes in functionality, understand which data is affected, what integrations appear, and where vulnerabilities might emerge along known patterns.

Such work is mandatory, but it consumes hours of experts. Scaling the team to match this flow is not always rational: with the number of specialists grows the volume of routine work, not just the depth of expertise. So betting on AI here looks not like a trendy experiment, but an attempt to selectively redistribute time within the team.

The first direction is reviewing Security Check tasks at an early stage. Usually an engineer needs to quickly understand what change is in question, where security is potentially affected, and whether in-depth analysis is even necessary. AI in such a process can gather basic context from the task description, highlight sensitive areas, and flag things that resemble known risk patterns.

This is especially useful where the task flow is high and a significant portion of requests ultimately need quick qualification and routing, not full investigation. The second direction is code analysis in merge requests. Here there are especially many routine checks: user input handling, access controls, tokens, secrets, logging, validation, external calls.

If the model can go through these layers like a checklist, it becomes not "a reviewer instead of a human" but a first filter before expert assessment. The third area is AI-DAST, that is, using the model in dynamic application testing. For a security team this is a logical extension of the same idea: some checks can be standardized, accelerated, and run more consistently without waiting for an engineer to find a window for manual passage through typical scenarios.

In such a mode, AI is useful primarily as an assistant that doesn't tire of performing repetitive steps and can faster notice deviations in application behavior. This reduces the likelihood that a routine problem gets lost between release iterations simply due to lack of time for manual testing. At the same time, the final decision remains with the human: it is the engineer who assesses the context, distinguishes a real problem from a false alarm, and understands how critical the found signal is for the particular product and its architecture.

On the market level, this is a good example of how AI is gradually being embedded in mature internal processes. The most practical value here is not in loud promises of "autonomous security," but in reducing the cost of routine work and accelerating initial checks without loss of control. If such an approach becomes established, security teams will be able to spend less time on mechanical task sorting and more time on threat modeling, non-trivial attack scenarios, and error prevention before release.

For large product teams, this is probably what will become the main effect: not a reduction in the role of the expert, but a noticeable increase in their throughput. Essentially, it is about redistributing attention in favor of those areas where human expertise truly provides maximum value and where automation is not yet able to replace engineering judgment.