Pune is benefiting from its proximity to Mumbai’s financial ecosystem while offering larger campuses and lower operational costs, making it an attractive destination for BFSI-focused GCCs.
Centres in the city are building critical global platforms, including credit scoring engines, enterprise risk management systems, fraud detection models, regulatory compliance platforms, and high-scale payment processing systems.
At the same time, while Bengaluru continues to lead on talent and technology, Mumbai recorded the highest office leasing by BFSI GCCs, according to Savillis India’s latest report, Global Capability Centres: Enabling India’s Strategic Advantage.
Speaking to AIM, Sandeep Johri, CEO of Checkmarx, said the rationale behind establishing an India GCC was that they primarily serve large enterprises, most of which have their own GCCs in India. “We wanted to be able to support them locally.”
Checkmarx is a global application security leader with over 15 years of operations. Founded in Israel and expanded across the US, the firm has research centres in Israel and Portugal, along with global sales and support teams.
With security and development teams increasingly based in India, Johri noted that having a local presence has become very useful for effectively supporting customers. Checkmarx also has several clients in the BFSI sector.
The company established its India GCC around two years ago as part of its global expansion strategy.
Johri mentioned that while Bengaluru and Hyderabad have larger talent pools, they are also far more competitive, with demand often outpacing supply. Hiring has not been a challenge in Pune for Checkmarx. Of its total current headcount of 149 across the country, 123 employees work from Pune.
Security challenges rise with AI coding assistants
Checkmarx’s fast-growing Pune GCC is involved in developing its next generation AI-driven security products.
While the rapid rise of AI coding assistants has changed how developers write software, it has introduced new security risks, too. Instead of being dealt with later by governance or audit teams, security is increasingly being embedded directly into the developer’s workflow, inside the IDE itself.
Today, the GCC houses R&D, technical support, customer success and services teams, all integrated into Checkmarx’s global engineering organisation.
“The adoption of coding assistants is incredible,” Johri said. “We have never seen any new technology adopted in the enterprise at this rapid a pace.”
While AI tools allow developers to generate code much faster, the quality of that code from a security standpoint remains a concern.
“The challenge is that the code generated by LLMs has a much higher density of vulnerabilities,” he said. “If you don’t address that correctly, you generate a lot of code, but you won’t benefit because you’ll get caught fixing issues later, when the developer has already moved on.”
Industry benchmarks back this up, said Johri, adding that studies show that a significant portion of AI-generated code contains errors or security flaws. “Assuming that it’s all secure is incorrect and leads to trouble,” he said.
Building in India
To address this, Checkmarx has shifted security closer to where code is written. Its AI-based product, Dev Assist, works as a plugin inside a developer’s IDE, automatically scanning code generated by AI tools in real time.
“Think of it as a security code reviewer sitting with the developer, checking any code that is being generated by the coding assistant. It’s like having a security friend looking over your shoulder,” said Johri.
As soon as AI-generated code appears, the plugin scans it for vulnerabilities, flags issues instantly, and suggests fixes, before the code ever reaches a central repository.
“You are adding code faster,” Johri said, “but you’re not adding bad code faster.”
Notably, at least 50% of the Dev Assist product team is based in Pune, making India central to this shift in how application security is delivered.
While the tool automates much of the analysis, Checkmarx has deliberately kept developers in the loop.
“We could auto-remediate,” Johri said, “but we prefer to let the developer decide. Security is complex, and sometimes there are multiple valid fixes.”
The goal, he said, is not to replace developers, but to remove friction from security processes.
Beyond Dev Assist, Checkmarx is building AI agents that automate vulnerability prioritisation and remediation, and also working on security solutions for AI and LLM-based applications themselves. All three areas are being developed across global teams, with India playing a key role, Johri confirmed.
The company is also expanding hiring in Pune across support, application security experts, developers and security researchers, with a mix of lateral and campus hiring
The post Why Checkmarx is Building AI-led AppSec from Pune? appeared first on Analytics India Magazine.
