Service providers offer network-based services to fulfill user's computing-service needs without the users having to invest in and maintain computing infrastructure required to implement the services. For example, service providers may provide network-based computing resources and functionality to implement various types of services, such as scalable storage services, computer-processing services, speech-recognition services, payment-transaction services, and so forth. Often, these network-based services store and process sensitive or private information for the users, such as names of users, payment information of the users, etc. To prevent unauthorized, and potentially malicious, entities from obtaining the sensitive and private information, service providers employ service teams to manage security properties of the network-based services to identify and prevent security threats to the network-based services. For instance, service teams of security engineers identify security threats to the network-based services provided to users, and subsequently mitigate the security threats.
Users or developers of network-based services may be allowed or permitted to modify or otherwise make changes to the network-based services, such as modifying source code to change functionality of the services, add additional users to access-control policies to make the polices more permissible, and so forth. The amount of changes made, and the frequency at which the changes are made, to the network-based services make it more difficult to identify security threats that exist in the network-based services.