How Oscar Health Scaled Secure Development and Risk Prioritization Across Engineering
“With Prime, we can scale security reviews. The reviews aren’t blocked because of our resource limitations. Engineering teams aren’t waiting in a line for reviews. They put tickets in, Prime ingests the tickets and reviews all associated artifacts and provides insight. When the size of engineering is multiple factors of size greater than the size of the security team, the only way to meet that demand is with intelligent automation."
Evan Oslick, Head of Product Security
Results with Prime
15 minute
security reviews
100%
of development reviewed
The Challenge
As Oscar Health’s engineering organization scaled, development velocity began to outpace traditional security review processes. Security reviews were largely manual and dependent on a small number of subject-matter experts, making it difficult to keep up with the volume and speed of new features.
Operating in a highly regulated healthcare environment added another layer of complexity. Every feature had the potential to impact member data, privacy obligations, and regulatory compliance, raising the stakes of missed or delayed security reviews. Security teams were expected to provide consistent, defensible guidance while keeping pace with rapid product delivery.
This created several structural gaps:
- Incomplete security coverage - Not every feature or change was reviewed because manual reviews could take hours or days, this increased the risk of blind spots across the product and led to misalignment with development cycles
- Reactive security posture - Security teams often became involved after development was already underway, limiting their ability to influence design decisions early
- Challenging risk prioritization - Without consistent, task-level risk assessment, it was difficult to distinguish high-impact risks from lower-priority issues across all engineering work
“In healthcare, security and compliance aren’t optional. Our ability to scale these reviews to a reasonable delivery rate wasn’t going to happen. We needed a way to automate reviews and scale our strong resources.” Evan Oslick, Head of Product Security
In an environment where regulatory expectations are high and mistakes are costly, Oscar needed a scalable approach to ensure coverage and be able to identify new risks emerged. Risks were proactively identified and prioritized, and guidance could be delivered fast enough to support modern development velocity.
Working with Prime
Oscar Health adopted Prime’s Agentic Security Architect to automate security reviews and proactively identify risk across all engineering work - enabling security to scale alongside development velocity in a highly regulated healthcare environment.
With Prime in place:
- Fast, actionable reviews for every feature in under 15 minutes - Every risky new feature request, change ticket, or design document automatically triggers a security review. This ensures consistent, end-to-end coverage across all engineering work, without relying on manual intake or additional process overhead. Reviews align with sprint cycles and developers receive clear, actionable guidance.
- Proactive risk identification and prioritization - Prime evaluates risks across all planned engineering work and contextualizes them against Oscar’s overall risk profile. This allows security teams to focus on the highest-impact risks, rather than treating all findings equally.
- Centralized visibility across engineering - Security teams gain a unified view of risk across products, teams, and initiatives, enabling better prioritization, planning, and decision-making.
Looking Ahead
Oscar Health plans to extend its automated security reviews beyond design, automatically validating that implementation aligns with approved design decisions as work moves into code. By continuously checking for drift between design intent, identified risks, and actual implementation, Oscar aims to improve consistency, traceability, and confidence across the development lifecycle.