Aikido Security

Aikido delivers several standout strengths that materially enhance the effectiveness and efficiency of our application security programme. The following provide the most value: - Seamless GitHub integration and large scale onboarding. The App pattern makes it exceptionally easy to onboard repositories in bulk, while the native integration ensures that users and teams are imported cleanly and kept aligned with our existing developer workflows. - Comprehensive and effective security scanning coverage. The platform brings together a broad suite of embedded scanners, including SCA, SAST, secrets detection and IAC analysis. The inclusion of DAST with support for both GraphQL and REST API scanning further strengthens its technical depth. - Strong developer-centric experience that accelerates remediation. The portal offers a clear and intuitive user interface and places a real emphasis on helping developers prioritise and resolve issues. Explanations are accessible, suggested auto-fixes are helpful and the ability to open pull requests directly supports rapid action. Additional aspects that consistently add value include noise reduction and transparent prioritisation, industry-leading supply chain and malware monitoring, and the robust set of search and filtering options. These strengths combine to create a platform that is powerful and highly usable, enabling engineers to adopt security practises with confidence and velocity.

The product itself does everything we need and more. The way they support us is insane and I've never seen anything like it. We have a shared Slack channel and someone always responds, usually within minutes and often the CTO/CEO himself engages with us and our issues directly. They often fix issues the same day, and sometimes even on weekends. Their auto-ignore functionality, while not perfect, is best in class and does an amazing job at reducing the noise so we can concentrate on the security signal (i.e. actual problems). The web UI, while not perfect, is much better than any of the competitors I looked at (by a long way) and includes very powerful filtering functionality that always allows me to narrow down to the subset of our product that I want to focus on. They have a good API and quickly add anything we find missing from it. The reporting functionality is great and super valuable to make our GRC work easier by providing reporting based on standards (such as SOC 2) that we're trying to maintain. The integrations are expansive and cover everything we need and were easy to setup. Good SSO integration and audit logging.

What stood out to me with Aikido is how clean and focused the platform feels. It doesn't bury you in endless dashboards or alerts, it gets you exactly what you need, and the prioritization makes sense. The accuracy of the findings has been much better compared to some of the other tools we used and the reduction in false positives has made our team's life a lot easier. I also like how quickly new features and fixes roll out. It feels like a product that is actively improving, not one thats been sitting still.

There are a few areas, which are admittedly challenging across the industry, where we still experience friction at scale. The secret scanning capability offers limited visibility into the underlying rules, which makes it more difficult to tune for repeated false positives across large environments. To their credit, Aikido does offer multiple ways to manage this, although in practise it is not yet as polished as their stronger features. The license scanning can also generate false positives that can be presented as critical legal risks, which at times can undermine confidence in the severity model when viewed alongside genuine critical AppSec vulnerabilities. Although this capability can be disabled, it would be far better if it would be more accurate by default, or could be more finely tuned. The reporting and trends presented in the UI are strong, but exposing this data through API access would significantly improve our ability to integrate with internal business analytics. Pull request scanning would be even better with more conversational, in-line guidance, so that developers can review issues, apply suggested fixes, and manage exceptions without switching context to the Aikido portal.

Honestly, these are all very minor (almost petty concerns). 1) The web UI, while great overall, has some weird inconsistencies (e.g. not being able to choose how to sort tables by column on some pages) 2) The docs, while expansive, are a little sprawling and hard to search, I tend to resort to asking a web-search enabled LLM to help me find what I need 3) The secret detection, whilst good overall, is probably the most prone to false positives. 4) The filtering is extremely powerful but can be somewhat unintuitive at times.

Nothing major, but there are a few areas where Akidio could still mature. Some parts of the dashboard feel a bit limited if you want deeper filtering or more advanced reporting. Some integrations may offer more customization options as well. This is not a deal breaker, but if they continue imprving in these areas, it would make the platform even stronger/