How it often works is DevEx & Marketing push out some half-baked thing as a free service driving to drive adoption and generate interest. Generally there aren't many Engineering or Ops resources assigned to these things. Monitoring is next to nothing. No one even thought to consider fraud prevention measures. Many times InfoSec isn't informed at all. When a free service that allows arbitrary hosting, or arbitrary email/SMS content goes out, the first ones to adopt it are often criminals. The end result is you're playing catch-up for months to years to get the proper level of resourcing dedicated to closing the exploitable holes. No one wants to do that for a product that isn't directly generating revenue. The thing is, if you can't afford to assign resources, you should never deploy it. If it's connected to the Internet and connected to your brand, you're going to suffer reputation loss when it's abused, and it WILL be abused. Once I got a free service (temporarily) shut down because I showed our CMO how many complaints we were getting about it from people targeted by abuse. You'll have a hard time convincing random PMs or DevEx folks to limit the project they're working on for their quarterly goals/promotion opportunity. Marketing and Legal leaders will definitely care about reputation damage if you can make a strong, evidence-backed case.