Maximising Coverage: How Zepz Built Defense-In-Depth with Tracebit
Zepz‘s security team leverages Tracebit to gain visibility across cloud infrastructure, surface insider risk, and build a scalable detection layer without growing headcount.
Highlights
Detected real insider risk behavior within weeks of go-live, invisible to all other tooling in the stack
Broad MITRE ATT&CK coverage at a fraction of the cost of equivalent SIEM detection rules
Canaries deployed across cloud and endpoint environments with near-zero friction and "set and forget" maintenance
"As part of our comprehensive, multi-layered security model, Tracebit provides the vital, dynamic detection layer. It ensures that if an attacker compromises the perimeter, we gain immediate, high-fidelity visibility into any attempt at lateral movement, neutralizing their advantage at the point of action."
Jim Cosser
VP Security and CISO
Case study
About Zepz
Zepz is the global payments group powering leading international remittance brands, WorldRemit and Sendwave, to build the next generation of cross-border payments. Serving more than 9 million customers across 2,000 corridors in over 130 countries, Zepz is transforming how money moves - making it faster, safer, more convenient, and more affordable. Its innovative, customer-centric solutions, incorporating technologies like stablecoins, are designed to break down financial barriers and expand access to better financial tools. New products like the Sendwave Wallet go beyond traditional remittances, enabling customers in over 100 countries to store, send, spend, and save money in digital dollars, supporting Zepz’s mission to drive financial empowerment and prosperity for people in the global south.
Challenge
Zepz's security operations team had adopted an Assume Breach mindset, recognizing that no perimeter is impenetrable. The priority was ensuring that if a targeted attacker got through, the team would know about it quickly.
As the attack landscape changes and complex attacks become easier and cheaper, finding a high fidelity detection becomes even more valuable. The existing security tooling generated excessive noise, making it more difficult to cleanly detect genuine threats. Given time constraints, building bespoke detection rules for every possible scenario was not viable.
Solution
Zepz partnered with Tracebit to deploy canary infrastructure across their cloud assets, secret stores, and end-user devices. For endpoint coverage, the experience was near instant.
"All we had to do was connect our MDMs, ensuring a seamless rollout."
Jim Cosser, VP Security and CISO at Zepz
For cloud infrastructure, Tracebit provided Terraform modules that slotted directly into Zepz's existing IaC workflows, requiring minimal configuration before the rollout scaled across the estate.
To maximize deterrence, Zepz implemented rotating code names for Tracebit assets in GitHub PRs, so that teams are aware the platform is deployed but have no way to identify which assets are part of the deception layer.
“The platform's presence is known to everyone, yet the specific means to identify or avoid the detection layer remain completely unknown."
Jim Cosser, VP Security and CISO at Zepz
Outcome
Surfacing the Unknown
The alerts drove immediate action: tighter access controls and a shift toward pulling secrets by name through infrastructure-as-code.
"Tracebit provided the only practical means to discover and address this kind of internal risk behavior."
Jim Cosser, VP Security and CISO at Zepz
Deterrence at Every Layer
With Tracebit deployed and its presence communicated internally, engineers know canaries exist throughout the environment but have no way of identifying them. For malicious insiders or compromised accounts alike, there is no safe path through.
High Coverage, Low Overhead
The deployment delivered broad MITRE ATT&CK coverage across lateral movement and initial compromise techniques, spanning cloud assets where the complexity of a constantly evolving environment makes detection particularly challenging. Automatic name rotation and canary recycling keeps the deception layer fresh without any manual intervention, and as the environment grows and changes, so does the coverage.
"The platform delivers exceptional value for its cost, far surpassing the effort of allocating hundreds or thousands of engineering hours to develop new SIEM-based detection rules."
Jim Cosser, VP Security and CISO at Zepz
Low Maintenance
With the model in place, ongoing overhead is near zero. The team monitors alerts and reviews configuration periodically, but Tracebit handles the rest, freeing the team to focus on what matters most.
"Our time is valuable and the less time we have to spend on maintenance tasks, the more we can focus on our high impact projects."
Jim Cosser, VP Security and CISO at Zepz
Looking Forward
As AI increases attacker sophistication around social engineering and initial access, Zepz sees Assume Breach as an even more critical planning assumption. Tracebit's dynamic canary layer is central to that strategy, evolving alongside the environment to ensure no threat actor can build a reliable map of what to avoid.
"AI increases attackers' capabilities in various ways that make a breach more likely, and therefore Assume Breach is a more important thing to focus on."
Jim Cosser, VP Security and CISO at Zepz
