Matthew Marji, Security and Compliance at WorkOS

In this week's Sage Spotlight, Matthew Marji, Head of Security and Compliance at WorkOS, shares how AI has transformed his 2026 roadmap and why Sagetap has become essential for discovering best-fit vendors. Matthew explains how the platform has helped him quickly evaluate solutions across multiple organizations, build lasting partnerships with innovative vendors like Socket and ZeroPath, and cut his time to solution dramatically.

Key Takeaways

• AI as a Security Game-Changer in 2026: As WorkOS rolled into 2026, AI became a priority. Matthew is focused on using AI to build security tooling and ensuring security and compliance keep pace with how developers integrate AI into products.
• What's Missing in AI Security Conversations: Matthew believes the industry isn't discussing the security and compliance implications of rapid AI adoption enough. He asks vendors about their AI guardrails, data management, and transparency to establish baselines.
• From Painful Searches to Targeted Matches: Before Sagetap, Matthew relied on Gartner and word-of-mouth — a "really painful" process that involved managing lengthy sales cycles. Now, Sagetap helps him quickly assess technical fit and narrow evaluations to two or three qualified vendors at a time.
• Bringing Socket Across Organizations: Matthew found Socket on Sagetap and has maintained the relationship across multiple companies, impressed by their continuous innovation including deep reachability analysis through their Coana acquisition.
• ZeroPath's AI-First SAST Approach: Matthew is excited about ZeroPath's ability to find chained vulnerabilities across multiple files and provide business context around authorization and logic problems — delivering more value than traditional SAST tools.

Full Transcript

Matthew Marji: I'm based in Toronto, Canada. I'm currently at WorkOS, where I lead security and compliance. 

So that's both the security of our product end-to-end, as well as a lot of our customer trust. So ensuring that we are on top of our compliance, as well as making sure that we're connecting with existing customers and prospective customers to make sure that WorkOS continues to meet all of their expectations and that we continue to build trust, as there is a lot of customer data that WorkOS manages. 

Meghan Lafferty: We're about a month into 2026. What is most pressing for you and your team, either in Q1 or throughout the year? 

Matthew: We had some ideas for what our initiatives were, but as we rolled into 2026, AI quickly became a game-changer. 

We are thinking about how AI is used within the organization, how AI is being used as an advantage for us to build out security tooling instead of maybe doing only a SAST solution. It is a way for us to think about how AI will play a part in developers that are working on our product. And so it's just really important for us as a security and compliance arm to make sure that we embrace that and follow along with the velocity. 

And this is what's really exciting, is having these conversations to learn, oh, there are new ways of thinking about this. One of the big ways we do that is by staying connected with both other Sages on Sagetap, but also too with others in the cybersecurity industry. And so we're always sharing information and things that we're learning. 

Meghan: Is there something that you feel the industry is not talking about enough, either related to AI or otherwise? 

Matthew: AI is quickly being integrated into all parts of an organization, even in our personal lives, and I don't hear enough of the industry talking about what are the security and compliance ramifications of this? This is incredible, don't get me wrong, but what is the trade-off here? 

Another thing that I think about is, security has a number of vulnerability types; are we thinking about how introducing AI is maybe reintroducing some of these vulnerability types? 

It's kind of like leaning back on a lot of our first principles and asking, how do these apply to AI? AI is moving super quickly, and people don't want to get left behind, we want to try things. But a large part of that, too, is making sure that we are, again, from a security and compliance point of view, trying to keep up with it. 

Meghan: So if I'm a vendor, what should I do? Are there opportunities there? 

Matthew: Without a doubt. I think large parts, a large part that I ask vendors about is not only their AI strategy, but I ask about the guardrails around their AI. 

I'm asking about how they're managing data. I'm asking about what we have control over in terms of the prompts, in terms of what data it collects, the sources that it collects information and data from. 

I really appreciate when vendors have a transparent view into their usage of AI, and that brings a lot of clarity for us and allows us to have a baseline, as we're trying to introduce AI across our products, to know where other vendors are coming from and what their standard is for AI as well. 

Meghan: Before Sagetap, what was your process for finding and evaluating vendors that could be a fit? 

Matthew: Oof, yeah. If you followed Gartner, that's kind of the collection of vendors that I worked with. It was either vendors that I had heard acquaintances use, or ones that make it to these lists. I found a lot of the times that I was doing these either word-of-mouth or just broad reviews of vendors. And it was a really painful process.

Coming as an engineer, I want to see if it's a technical fit. A large part of it was constantly managing the sales relationship side as well. I just want to know what you do and get a sense of if it's a good fit. From there, then I can decide what's next. And that was missing for me. 

Meghan: You've been on Sagetap for a while now, and you've been at different companies while you've been on Sagetap. 

Matthew: Yes. It has allowed me to continue to use vendors that I found on Sagetap that have been high-impact for me. And it's also allowed me, as I move organizations, to very quickly get an understanding of relevant vendors in the space where I'm looking to solve a problem. 

And I've continued to go back into Sagetap to find vendors and even talk to other Sages to try to understand, how are people solving this problem in this current time? It has made a huge impact on the time to solution. 

There are likely going to be numerous solutions that may fit 50%, 70%, 80%. How do we effectively find the best solution for the problem that we're trying to solve that fits well into our organizations? 

And so what's been really great about Sagetap is I've been able to take what I've learned from past vendors that I've built relationships with on Sagetap, and very quickly gone into that depth. 

We're typically doing maybe two to three vendors that we review at a time, and that's plenty to make a decision, knowing that they already have surpassed the threshold of a good technical fit for the problem we're trying to solve. 

Meghan: That's something I've been hearing from more and more Sages lately, that they used to find vendors that were a pretty good fit, and Sagetap has helped them actually find the 10-out-of-10 fit that they've been looking for. 

Matthew: Totally agreed. It's a constantly evolving platform of solutions. Every time you go into it to learn and try to understand the landscape, you're very quickly learning what is out there at the moment. Whether it's a vendor that there's a problem we're trying to solve or not, it's been great for exploration and learning, too. 

‍Meghan: Let's get into some of the actual vendors that you've met on the platform. 

Matthew: I will go over two of them. 

Socket solves a really important problem. Everybody who's writing source code will pull in libraries of some sort. Tens of them. Hundreds of them. The problem is, when there is a security vulnerability in their code, how do we know? If something net new happens, we will know right away thanks to Socket. 

I've continued my relationship with Feross and the Socket team from that call all the way through to now, and I've continued to bring them on board across the organizations that I've worked at, because I feel that they are just building such an incredible product, and what excites me about them is they continue to grow and iterate. 

They acquired a company called Coana, where they are now doing really deep reachability analysis, meaning that they are going to tell you whether or not a vulnerability in a dependency is actually something that in your source code could lead to the vulnerability. 

And so now they're continuing to build out things like Socket Basics and Socket Firewall that go beyond that. These are preventative solutions and ways for your security team to explore how to be as proactive as possible in managing the dependency lifecycle, without needing to spend a lot of time digging through results and findings. 

Meghan: It is very cool to hear you talk about Socket because I know when we talked to you a couple years ago, Socket was one of your favorite vendors. So always cool to see when you make that early relationship and then just continue to stay with them as they evolve and match what you need better. 

Matthew: Yes, very, very happy and impressed with the work that they're doing. 

I have one more, and it's still pretty early stages for us, but the company ZeroPath has absolutely blown my mind in terms of their AI-first way of thinking about SAST. 

It's essentially providing you with finding really important vulnerabilities that are not just in one piece of code, in one file. They are chained and linked and connected. And there is a context that gets built around, this is why this is a business logic problem, or this is the reason why this is an authorization problem, because of this, this, this, and this that we've found and put together and now presented to you. 

That is providing us so much more value so far in our evaluation than a typical SAST, even the best of SAST providers in the industry, are providing. And so I am very bullish on where ZeroPath is going and what it is that they do. 

Meghan: So if there is somebody in your shoes a few years ago, before you joined Sagetap, what advice would you give them? 

Matthew: Take the first step for learning. And that's really where I started. I feel pretty confident, from there, you'll quickly realize how integral the platform becomes to how you think about finding vendors and solving problems. 

A lot of the times I may have come into a conversation thinking, oh, I know how this is going to go, and been absolutely wrong and have learned a lot. That is undoubtedly, for me, how I've realized that the platform has changed the way that I think about approaching problems I'm trying to solve.