In March, Aikido Security officially became the security software provider for Visma. The deal not only brought two European companies together but also saw a startup that’s been around for little more than a year land a customer with over €2B in revenue and 1.7 million customers globally.
“A company like Visma trusting us is a testament to the quality and maturity of our product,” Roeland Delrue, co-founder and COO/CRO of Aikido Security, said in a statement.
The security industry has usually been dominated by US and Israeli tech startups. Willem Delbare, co-founder and CEO/CTO of Aikido Security, says it is rare for a European cybersecurity company to close a customer of this size.
Delbare and Delrue co-founded Aikido Security with Felix Garriau in 2022 and the startup just announced raising $17M in Series A round. It has raised a total of $24.6M in funding and aims to bring “no BS” security to developers. However, the roots of this security startup were laid unconventionally and their story is one of a great product meeting the needs of the security industry.
Security is important
Security is important. Whether it is an apartment building or the software suite that you are building, security is paramount. However, the security industry is manual and setting up all the processes can be challenging. While managing security at his previous company, Delbare not only noticed how most security processes were manual but also the difficulty associated with building knowledge around it.
For him, this wasn’t only a painful experience but also something that could be productized. This exposure to inefficient processes in the security landscape fuelled with expensive tools delivering low value drove Delbare to fix this problem.
“I’ve used so many of them and they all suffer from the same problems. They overload you with false positives, spam you with notifications, and make triaging hard,” he says.
Once he identified the problem, Delbare joined hands with Delrue and Garriau and the trio worked on the first beta version of Aikido. Delrue tells me that they knew that their first product had to be great and that “it needs to provide true and differentiating value.”
This, the co-founders of Aikido Security, reckon, is the starting point of their story. As a PLG company, they had to build a great product but as a security provider, they had to also build a layer of trust that would encourage their partners to connect their codebase and cloud to Aikido online.
Delrue adds that they worked “super hard” to get the first beta version of Aikido online. Once the first version was live, they had some partners lined up to test and then worked on their feedback. “It led to the actual value creation and early product-market fit,” he elaborates.
But trust remained a factor and to gain the trust of their customers, they began with a “trust centre” on their website. They then worked towards compliance (ISO27001 & SOC2), social proofing, and even got reviews from credible investors, and focussed on becoming verifiable online.
However, the Ghent-based startup, says finding and hiring the right people was more challenging than building the product. Delrue says it took them a couple of months to shape up the team and then had a productive six to nine months with the core team. From there, he says they were able to further expand the team as they raised their seed round.
Say goodbye to vulnerabilities
When I asked Delbare how Aikido Security works? His response stumbled me. He labels it “pretty simple” and adds that Aikido can be set up in only a few minutes. As a developer, all you need to do is create an account with the tools that you use for your git, including GitHub, GitLab, Azure DevOps, etc. Aikido leverages the SSO of these git management tools for easy setup and says this makes user management and access way easier.
When you sign up on Aikido, you give the platform access to the codebases you would like to have scanned. The platform is designed to scan code for six different types of vulnerabilities. From dependencies, secrets, and SAST issues, to IaC issues, outdated software, and malware, Aikido scans your code extensively. Even though licence risk is not a vulnerability, Aikido also scans for any associated risk.
It doesn’t stop there. “Aikido can scan your whole development stack. (code, cloud, containers & domains) if you add these you can fully cover the application security of your app from code to cloud,” explains Delbare.
In simple terms, Aikido is a cloud-based security platform that scans your code for all typical vulnerabilities one can encounter in a web application. Here are the 10 different types of scans performed by Aikido:
- Cloud posture management (CSPM): Detects cloud infrastructure risks across major cloud providers.
- Open source dependency scanning (SCA): Continuously monitors your code for known vulnerabilities, CVEs and other risks.
- Secrets detection: Check your code for leaked and exposed API keys, passwords, certificates, encryption keys, etc.
- Static code analysis (SAST): Scans your source code for security risks before an issue can be merged.
- Infrastructure as code scanning (IaC): Scans Terraform, CloudFormation & Kubernetes infrastructure-as-code for misconfigurations.
- Container image scanning: Scans your container OS for packages with security issues.
- Surface monitoring (DAST): Dynamically tests your web app’s front end to find vulnerabilities through simulated attacks. Built on ZAP.
- Open-source licence scanning: Monitors your licences for risks such as dual licensing, restrictive terms, bad reputation, etc.
- Malware detection in dependencies: Prevents malicious packages from infiltrating your software supply chain. Powered by Phylum.
- Outdated software: Check if any frameworks & runtimes you are using are no longer maintained.
In addition to scanning for these 10 types, Aikido Security also allows its users to connect their own scanner to import and auto-triage findings from their current scanner stack. While security applications usually detect and triage everything in a silo, Aikido Security brings all these together in one dashboard so a developer can have a full overview of all possible vulnerabilities.
Application security made simple
“We’re making application security simple, accessible, and affordable,” says Garriau.
For the co-founders of Aikido Security, the real problem in the security software landscape is that many cybersecurity tools are overly complex and make it very time-consuming to go through all the security findings and fix them. Aikido wants to be an antithesis to this security landscape by making it simple to find the issues that matter.
With over 3,000 organisations using Aikido and over 300 paying subscribers, Aikido has managed to sell businesses on its security idea. Garriau explains that most of their customers use its platform to secure the software they write and like the platform, since it allows them to simplify their processes and keep everything in one place.
He adds, “With Aikido they don’t need separate tools which can become a mess and generate lots of duplicate notifications.”
Aikido is also being used by customers to become compliant. Garriau explains that when you become compliant (SOC2, ISO27001, etc.), you typically need to implement SLAs for vulnerabilities. With Aikido’s auto-triaging feature, the startup says its customers have been able to save a massive amount of time that would have been otherwise wasted on triaging false positives.
It needs to be said that the option to download and share an audit report has helped Aikido’s customers not only get through Meta’s Developer Security assessment but also drive sales.
AWS to build and scale
Like many security startups, Aikido also relies on Amazon Web Services (AWS) to build and scale its platform. Delbare says choosing AWS was a logical decision since the co-founders had lots of experience with Amazon’s cloud service platform.
“I’ve built multiple successful SaaS businesses on AWS already. It helps us scale faster as a startup,” he adds.
While Delbare says the strength of AWS is how super simple it is for a startup to scale on the platform, Garriau adds that integration is another strength. Garriau explains that they are currently not listed on the AWS marketplace and are working to become part of it sometime this year.
He says AWS Marketplace offers the kind of reach that is helpful for a fledgling startup like Aikido Security. While the Belgian startup has been collaborating with the startup team from AWS to attend events and connect to relevant VCs, he sees an opportunity to unlock even more potential.
“We see lots of potential in integrating directly into the AWS Marketplace,” says Garriau. He adds, “We think that this will simplify billing for some customers & help us get exposure to thousands Of AWS customers.”
As a young startup building a cloud-native platform, Aikido is aware of the potential scale offered by AWS and has even tapped into it. Now, it is looking to further scale its platform by not just being part of the cloud ecosystem but becoming part of the marketplace where cloud-based vendors thrive.
Focus on the European cybersecurity landscape
With legislation like NIS2 and DORA, Europe has stamped its authority as a leader in cybersecurity legislation. However, hackers continue to become more advanced, leading to increased costs of being hacked year after year. Delrue says European companies are doing their best to keep their company secure and have become increasingly aware of investing in security.
For those European businesses, Aikido wants to be the European security company they can trust and thus aims to become a key player in Europe’s cybersecurity landscape. To achieve that, Aikido has grown to 20 employees, with about half of them developers building the product. The startup is heavily investing in its product while growing its sales and marketing efforts.
It is also acutely aware of the impact of AI on its business. Delbare sees AI as a double-edged sword where it can help developers write code but often does that by compromising on security. “Even GitHub’s Copilot has been proven to write code with security flaws,” he observes.
In an environment where AI becomes a copilot to developers and helps them write code, Delbare sees security scanners like Aikido becoming even more prominent. He also sees the opportunity to leverage AI for security research. Delrue says its immediate success hinges on getting the product to market and growing its user and customer base. That focus could make Aikido Security a winner in Europe’s cybersecurity landscape.
Looking for more inspiring stories like this? Join AWS Summit Stockholm to connect with industry leaders and top regional startups, learn where investors are placing their bets and immerse yourself in technical brilliance. Register now to elevate your startup journey!
01
Meet the 10 promising startups selected for Glovo Startup Lab