Aikido Security

1.1 Identity, footprint, and product thesis

Aikido Security consistently presents itself as a developer-first unified security platform that connects code, cloud, and runtime security in one workflow. That identity is visible across the official about page, pricing page, press kit, customer stories, and the January 2026 Series B announcement. The company's pitch is not just broad feature coverage; it is that developers should receive fewer but higher-quality security tasks, with triage, remediation, and compliance evidence generation embedded into normal engineering work. The pricing page reinforces that this is a SaaS product with freemium entry, self-service onboarding, and paid expansion into broader platform governance, reporting, and enterprise services. Geographic identity requires more care than the usual headline. The press kit says Aikido was founded in Ghent, Belgium, and outside coverage repeatedly describes it as a Ghent-based Belgian startup. At the same time, the official about page currently lists a UK headquarters in London and a U.S. office in Chicago, while the careers page says the company is remote-friendly with a home base in Belgium and open roles across Ghent, London, Chicago, and San Francisco. The right synthesis is that Aikido is clearly Belgian-founded and still Belgium-centered in talent branding, but its current public operating footprint is multi-country and its exact legal headquarters structure is not fully transparent from retained sources. [CO001, CO003, CO004, CO005, CO006, CO007]

1.2 Founders, leadership, and governance visibility

Leadership visibility is reasonably strong for a private European cybersecurity company of this age, but governance visibility is still partial. Current official hiring materials identify Willem Delbare as co-founder and CEO/CTO, Roeland Delrue as co-founder and COO, and Felix Garriau as co-founder and CMO. The same page also lists Madeline Lawrence as late co-founder and chief growth officer, alongside commercial leaders such as Thijs Janse and Louis Jonckheere. That gives a clear picture of who drives product, operations, marketing, growth, and U.S. expansion. Founder-market fit is one of the more persuasive elements of the overview. Public interviews and funding coverage repeatedly frame Aikido as a product built by former operators frustrated with noisy, fragmented developer-security tools. Delbare's prior company-building experience helps explain the team's speed in product packaging and go-to-market execution. But investors should separate leadership visibility from governance disclosure. Retained public materials identify capital providers and strategic backers, yet they do not provide a clean board roster, committee map, or independent-director structure. For a business now valued at $1 billion, that is a material diligence gap rather than a trivial omission. [CO010, CO011, CO012, CO013, CO044]

1.3 Capital formation, traction, and public scale

Aikido's funding trajectory is unusually compressed. Public seed reporting in November 2023 described a €5 million round co-led by Notion Capital and Connect Ventures, while the company and TechCrunch then documented a $17 million Series A in May 2024 led by Singular with continued support from Notion and Connect. The January 2026 Series B added $60 million led by DST Global, with PSG Equity and prior investors participating, and priced the company at a $1 billion valuation. The official about page now summarizes total capital raised at about $85 million, while BankInfoSecurity reports nearly $85 million across four rounds, implying some form of smaller pre-seed or convertible financing before the formal seed. Traction signals are strong but should be normalized carefully. The Series A narrative emphasized 3,000 organizations and 6,000 developers, while the January 2026 company materials shifted to 100,000-plus teams and cited public customers such as the Premier League, Revolut, SoundCloud, and Niantic. Revenue reportedly increased fivefold in 2025 and customer count more than tripled, which is directionally impressive even if the company still does not publish ARR, gross margin, retention, or audited revenue. Review-platform evidence is positive on usability and breadth, but those datasets remain small, so institutional investors should treat them as supporting signal rather than final proof of durable enterprise product-market fit. [CO014, CO015, CO016, CO017, CO018, CO019]

1.4 Milestones, mixed signals, and open questions

The milestone record supports real momentum beyond fundraising headlines. Aikido launched publicly in April 2023, moved from seed to Series A within roughly six months, acquired AI-native pentesting teams Allseek and Haicker in September 2025, and introduced Aikido Infinite in February 2026 as a continuous AI pentesting and remediation product. The company is clearly evolving from a broad developer-security platform into a stronger autonomous-security thesis centered on self-securing software and machine-speed penetration testing. The same record also surfaces the main diligence cautions for later chapters. Public headcount reporting is inconsistent, with January and May 2026 sources citing 130, 164, 180, and 200-plus employees. Customer-disclosure denominators also vary between organizations, developers, and teams, making it risky to treat any one number as directly comparable over time. Review sources are broadly favorable, but the adverse points matter: users still flag missing advanced API and reporting capabilities, some lingering false positives, and feature gaps on lower tiers. Most importantly, governance structure, audited financials, and exact current customer-account counts remain private. The company looks fast-growing and credible, but not yet fully transparent. [CO026, CO028, CO029, CO030, CO034, CO035]

2.1 Market boundary, included spend, and substitutes

The most useful market boundary for Aikido is not generic cybersecurity spend. Aikido's own product and use-case pages show a platform that spans application security, software supply chain security, cloud posture, runtime or attack-surface coverage, and compliance-oriented evidence generation. That means the company's real addressable market includes more than pure SAST or DAST budgets, but also stops short of every security dollar a large enterprise might spend. The right boundary is code-to-cloud developer security for teams that want fewer tools, faster remediation, and audit readiness in one system. Retained official segment pages also show that Aikido is deliberately selling into multiple buyer environments: startups, enterprise teams, fintech, agencies, and partner-led channels. The substitute set therefore includes standalone AppSec tools, cloud-security tools, point compliance tools, manual or periodic pentesting, patchworks of open-source scanners, and internal buildouts inside CI/CD. Aikido's comparison pages make that explicit by framing Snyk, GitHub Advanced Security, Orca, Veracode, and Mend as status-quo alternatives. The implication for market sizing is important: a narrow lens based only on code scanning understates the problem Aikido is trying to solve, but a lens that includes all cloud-security and GRC spend overstates it. [CM001, CM002, CM003, CM009, CM010, CM011]

2.2 TAM, SAM, SOM, and contradictory estimates

Third-party market estimates confirm that application security is already large, but they are not directly comparable. Mordor and Fortune both place the global application-security market around $14.8 billion to $14.9 billion in 2026, while Coherent is directionally similar at just above $15 billion. MarketsandMarkets, by contrast, publishes a much broader 2026 figure of $41.16 billion and a 2031 figure above $66 billion. The spread is too wide to average blindly. The more plausible interpretation is that the narrower cluster tracks core AppSec tooling and related services, whereas the larger figure pulls in a broader platform and services perimeter around application protection. For Aikido specifically, a bottom-up lens is more useful than a single industry headline. Mordor says large enterprises still account for the majority of spend, but small and medium enterprises are the faster-growing slice. That matters because Aikido's positioning, pricing, onboarding model, and industry pages all lean toward teams that need serious coverage without security-program overhead. A defensible 2026 TAM for core AppSec sits near $15 billion, but Aikido's practical SAM is a smaller subset of cloud-native SMB, fintech, agency, and digitally native enterprise teams willing to buy integrated developer-first security. A reasonable analytical SAM band is roughly $2 billion to $3 billion, with a narrower near-term SOM below $1 billion until the company proves deeper penetration into very large enterprise accounts and regulated buyers. [CM015, CM016, CM017, CM018, CM019, CM020]

2.3 Buyer, user, payer, and channel segmentation

Aikido's official industry and integration pages imply a segmented go-to-market rather than a single monolithic ICP. Startups buy because founders, CTOs, and early developers need an all-in-one tool that gets them to secure coding and compliance basics without standing up a dedicated AppSec team. Enterprise buyers care about scale controls such as SSO, role-based access, on-prem scanners, monorepo management, and large-repository or multi-cloud coverage. Fintech buyers prioritize credibility with customers, auditors, and regulators, especially around DORA, PCI DSS, ISO 27001, and NIS2. Agencies and MSPs, meanwhile, value multi-tenant management, margin protection, and proof they can secure many client repos without exploding operating cost. The user and payer are not always the same. Developers and platform engineers are the day-to-day users across segments, but budget owners change: founder or CTO in startups, security or platform leadership in enterprise, compliance and risk leaders in fintech, and principals or delivery managers in agencies. Partner and integration pages add a second layer to the segmentation. Vanta, Drata, and Sprinto are not pure competitors; they are adjacent compliance systems that can help Aikido land where audit readiness is the first buying trigger. Likewise, reseller, MSP, and technology-partner motions can expand distribution into accounts that prefer service-led procurement or bundled offerings. [CM003, CM004, CM005, CM006, CM007, CM008]

2.4 Growth drivers, adoption constraints, and market thesis

The structural growth drivers are strong. Third-party market reports and regulatory sources all point in the same direction: more cloud-native applications, more APIs, more open-source dependencies, more AI-generated code, and more compliance obligations. The Latio report argues that application security is being reshaped by AI-assisted coding and scanner consolidation, while CISA elevates SBOM and VEX into software-supply-chain fundamentals. The EU Cyber Resilience Act pushes lifecycle security and vulnerability management into software procurement expectations, and Aikido's own fintech and compliance pages translate DORA, PCI, ISO 27001, SOC 2, HIPAA, NIS2, and OWASP into concrete buyer pain. But market adoption is not frictionless. AppSec buyers still struggle with noisy tools, overlapping categories, duplicated spending between point products, and developer skepticism when false positives overwhelm workflows. Price sensitivity is real in SMB and startup environments, while large enterprises often prefer incumbent stacks, internal build, or best-of-breed specialists. That means Aikido's market thesis is best framed as category convergence plus workflow simplification. The company's clearest lane is not “all cybersecurity”; it is helping developers and lean security teams replace fragmented AppSec and compliance workflows with one integrated platform. If Aikido continues to win where speed, affordability, and evidence automation matter most, the market is large enough. If the market recenters around heavyweight enterprise suites or buyers decide best-of-breed depth matters more than consolidation, adoption will be slower than the broad headline TAM implies. [CM023, CM024, CM025, CM026, CM027, CM028]

3.1 Landscape, peer set, and substitute categories

Aikido's substitute set is broader than a single named rival. The company's own comparison pages identify direct peers across several clusters: developer-first AppSec specialists such as Snyk and Semgrep; platform-native code hosts such as GitHub Advanced Security and GitLab Ultimate; enterprise-first AppSec vendors such as Veracode and Checkmarx; cloud or posture-centric platforms such as Orca, Jit, and Apiiro; and supply-chain-focused vendors such as Mend and Endor Labs. This is the right way to think about competition, because buyers do not compare one-for-one products with identical scope. They compare credible ways to solve the same problem inside their existing stack. That broader framing also means the status quo is not just “buy another tool.” Buyers can stick with a patchwork of open-source scanners, depend on platform-native features from GitHub or GitLab, outsource more work to pentesters or consultants, or combine code-only and cloud-only vendors. AppSec Santa’s 2026 alternatives guide reinforces that the decision is often about depth versus simplicity rather than raw scanner count. Aikido’s main competitive advantage is simplicity, price visibility, and bundled coverage. Its main vulnerability is that specialized buyers can rationally choose a narrower but deeper platform. [CP001, CP012, CP013, CP029, CP038]

3.2 Capability, pricing, and strategic direction

The competitor field breaks into distinct strategic models. Snyk remains a broad developer-first AppSec platform with add-on modules and seat-based pricing. GitHub Advanced Security sells native code and secret protection inside the largest developer workflow in the market. Semgrep competes on developer friendliness, free entry, and a contributor-based model. Veracode and Checkmarx emphasize enterprise-grade platform breadth, governance, and deeper large-account sales motions. Orca, Apiiro, and Jit are stronger examples of context-rich code-to-cloud or ASPM-style positioning, while Endor Labs and Mend push harder on software-supply-chain intelligence and prioritization. Price transparency itself is a strategic variable. Aikido publishes simple entry pricing, GitHub publishes active-committer pricing for code and secret protection, Snyk advertises starting plans, and Semgrep openly shows free and paid packaging. By contrast, much of the upper-enterprise field still relies on quote-driven procurement. AppSec Santa’s pricing guide notes how quickly enterprise AppSec stacks can move into the $30,000 to $150,000 annual range and above. That matters because Aikido is trying to win accounts where procurement simplicity and total-cost clarity are part of the product, not just a commercial footnote. [CP002, CP003, CP004, CP005, CP006, CP007]

3.3 Switching costs, multi-homing, and distribution power

Switching costs in AppSec rarely come from one scanner alone; they come from the workflow around it. Once a team connects repositories, CI/CD, ticketing, identity, cloud accounts, policy rules, compliance evidence, and historical findings into one platform, the cost of moving rises. That is especially true for GitHub and GitLab, where security is sold inside the system of record for code and pipelines. It is also true for enterprise-first vendors that have years of governance process and reporting wired into security teams. Buyers therefore often multi-home: one product for code or supply chain, one for cloud posture, one for compliance evidence, and one for pentesting or DAST. Multi-homing cuts both ways for Aikido. It lowers the absolute switching barrier because many buyers are already accustomed to mixing vendors, but it also means Aikido can be displaced in any one module by a stronger specialist. Platform-native distribution is the most serious structural competitor. GitHub and GitLab can attach security to repositories, workflows, and pricing plans users already trust. Specialist depth is the second structural competitor. Endor, Mend, Orca, Apiiro, Veracode, and Checkmarx can all claim expertise in narrower domains. Aikido's best defense is to be sufficiently broad, sufficiently accurate, and sufficiently easy to justify that consolidation beats specialization for the target account. [CP014, CP017, CP018, CP025, CP026, CP030]

3.4 Moat durability, commoditization risk, and adverse evidence

The strongest competitive question is not whether Aikido has rivals; it clearly does. The real question is whether its wedge stays differentiated as AI-assisted scanning, autofix, and platform consolidation become table stakes. Several retained sources point toward convergence. Veracode and GitHub both emphasize AI-powered remediation. Jit and Apiiro emphasize context graphs and unified execution. Endor Labs pushes AI-native reasoning plus reachability. Orca argues that context and prioritization are the answer to alert fatigue. In other words, almost everyone is moving toward “fewer alerts, more context, faster fixes.” That convergence creates real commoditization risk. Aikido’s own alternative pages are useful because they expose the substitute set, but they are not neutral evidence. AppSec Santa’s alternatives guide is more helpful on the core trade-off: buyers look elsewhere when they need deeper specialization, richer ecosystems, or more mature enterprise controls than an all-in-one platform can offer. Aikido’s moat is therefore practical rather than absolute. If it can keep total cost low, setup easy, and cross-layer signal quality materially better, it can win a durable mid-market position. If larger platforms and deeper specialists close the simplicity gap, Aikido’s edge narrows quickly. [CP015, CP016, CP027, CP028, CP029, CP036]

4.1 Revenue model, pricing, and land motion

Aikido's public monetization model is clearer than its actual financial performance. Official pricing, about, startup, and enterprise pages all point to a deliberate land-and-expand design: a free entry point, transparent list pricing for Basic, Pro, and Advanced tiers, and then a set of enterprise-only upsells such as custom SLA, multi-tenant management, on-prem or local deployment, broker support for internal applications, and premium onboarding or support. SourceForge independently mirrors the same tier structure and confirms a free plan with 2 users and 10 repositories, which makes the product unusually legible for startups and smaller engineering teams compared with many security vendors that force custom sales engagement early. That simplicity should not be confused with a pure one-line SaaS SKU. Partner and integration pages imply at least four monetization layers: recurring platform subscriptions, enterprise service packages, partner-led bundled sales through resellers and MSPs, and compliance or pentest-adjacent value capture tied to evidence generation and broader security workflows. The pricing page's AI pentest language suggests a usage-triggered or report-unlock component around offensive validation, but retained public materials do not disclose what percentage of revenue comes from recurring software versus one-off or service-like work. The most reasonable view is therefore a hybrid software-first model with attractive top-of-funnel accessibility and multiple expansion levers, but still no public revenue-mix disclosure robust enough for underwriting. [CI001, CI002, CI003, CI004, CI005, CI006]

4.2 GTM motion and unit-economics proxies

Aikido appears to combine low-friction inbound adoption with selective sales-assisted expansion. The Series A blog explicitly says the company is freemium and self-service, while official startup positioning frames the product as a practical answer for SMEs that need security and compliance without dedicated AppSec staff. Customer stories then reinforce a low-implementation narrative: one case says 150-plus developers were onboarded in 45 minutes, while others emphasize noise reduction, workflow fit, and monthly developer time saved. These are company claims rather than audited proof, but they point toward a model where deployment friction is intentionally minimized so that users can convert without a large professional-services burden. The upmarket side of the model is visible too. Enterprise and partner pages describe SSO, local scanners, scale for 2,000 repositories and 500 users, reseller commissions, MSP admin tooling, and co-sell motions. That suggests a second motion with higher ACV, longer sales cycles, and more partner leverage than the free tier alone would imply. Public review data is directionally supportive on usability and breadth, but the adverse signals matter for unit economics: G2 users complain about limited API depth, reporting on lower tiers, and pricing that can feel high for startups. Those issues can both help and hurt economics. Packaging limits may nudge upgrades, yet they can also slow conversion or expansion if small buyers sit on the free tier and sophisticated teams demand deeper platform capabilities before paying enterprise-level prices. [CI005, CI006, CI010, CI011, CI012, CI013]

4.3 Filing-derived cost structure and public scale

The most concrete public financial evidence comes not from management commentary but from registry and filing-derived records. The Belgian Aikido Security BV summary shows that for the fiscal year ended 2025-01-31 the entity reported €18.2 million of assets, €14.7 million of equity, and €3.48 million of liabilities, alongside a negative gross margin of €3.73 million and operating profit of negative €4.43 million. The prior year showed a smaller asset base of €5.65 million and a smaller operating loss of negative €0.86 million. Read literally, that means the reporting entity was still deeply investment mode through early 2025 and that spending ramped materially as the company scaled. But investors should not over-read those figures. The Belgian filing summary is entity-level, not a full consolidated management account, and Aikido's public operating footprint now includes a U.K. headquarters label, a U.S. office, and a newly formed U.K. legal entity. Companies House records show AIKIDO SECURITY LTD was incorporated on 2026-04-09, later shortened its accounting period to 2027-01-31, and filed post-incorporation capital documents immediately. That makes the public legal structure more international than the Belgian filing alone suggests. The correct synthesis is that the available filing evidence proves capital buildup and ongoing losses at the core Belgian entity, but does not answer the harder questions on consolidated gross margin, cash efficiency, revenue recognition, or whether pentest and services activity is margin accretive or dilutive at scale. [CI007, CI008, CI009, CI015, CI016, CI017]

4.4 Capital adequacy, financing dependency, and diligence blockers

Public sources support the view that Aikido is well financed for its stage, but they do not let an investor calculate runway with confidence. The official about page and BankInfoSecurity both point to roughly $85 million of total disclosed funding, and the Series B announcement makes clear that management intends to spend aggressively on autonomous security and AI-driven pen testing. Solutions Magazine adds that revenue grew fivefold in 2025, nearly half came from the United States, and the customer base almost tripled, which suggests the company is scaling into a larger commercial footprint rather than simply warehousing capital. ARR Club's paywalled signal page goes further by placing ARR above $10 million in January 2026 and at $25 million by April 2026, but those figures should be treated as external estimate bands rather than verified company disclosure. The underwriting problem is not whether Aikido has momentum; it is whether that momentum converts into durable, efficient revenue. There is still no retained public disclosure of consolidated revenue, gross margin, net retention, CAC, payback, logo concentration, cash balance, debt, or runway months. Review data hints that the company is using transparent list pricing to disrupt a market full of expensive tool patchworks, while official enterprise and partner pages point to credible expansion vectors. Still, without management accounts and customer-cohort detail, investors cannot determine whether the business is a high-gross-margin SaaS compounder, a blended software-and-services model, or a capital-hungry growth story still proving its steady-state economics. The verdict is favorable on strategic trajectory and capital access, but still incomplete on revenue quality and cash durability. [CI007, CI008, CI010, CI011, CI021, CI023]

5.1 Platform scope, module map, and differentiation

Aikido is not presenting a single scanner with add-ons; it is marketing a full application-security operating surface that starts in source code, extends into cloud and container posture, reaches into API and offensive testing, and ends with runtime controls and governance outputs. The retained module pages support that framing. Code products cover SAST, SCA, secrets, IaC, containers, and SBOM/compliance use cases, while cloud pages add CSPM and runtime inventory and the attack surface includes API fuzzing, DAST-style monitoring, pentests, and the newly launched Infinite workflow. Zen then sits as a separate runtime asset rather than a mere extension of the code scanner. What makes the product thesis more credible than generic bundle marketing is the amount of developer-native and open-source evidence underneath it. Aikido openly ties SAST to Opengrep, publishes Zen runtimes and Safe Chain on GitHub, and distributes through GitHub Marketplace with meaningful install volume. That does not prove every module is best-in-class, but it does show an architecture and go-to-market model built on workflow fit, auditable components, and distribution channels that developers actually touch. The main differentiation claim is therefore breadth plus low-noise automation, not extreme specialist depth in each individual category.[CE001, CE002, CE003, CE004, CE005, CE014]

5.2 Developer workflow and operating model

The technical operating model is one of Aikido's strongest public assets. Documentation and product pages show onboarding through source-control integrations, read-only cloud connectors, registry access, optional local scanners for restricted environments, and in-app Zen libraries when customers want runtime coverage. That means the platform can start as lightweight SaaS-style scanning, but the fuller version depends on deeper customer telemetry from CI, runtime, cloud, and API traffic. Container and cloud materials repeatedly emphasize correlation: images, packages, VMs, runtimes, and repositories are linked so the system can prioritize issues in operational context rather than emitting isolated finding lists. The workflow after ingestion is equally important. Aikido documents PR feedback, CI gating, AI triage, AutoFix, SBOM export, compliance reporting, and API discovery flows that use both declared specs and observed traffic. Safe Chain extends the control point upstream into package installation, while Zen extends it downstream into application runtime. The result is a coherent loop from detection to prioritization to fix or block. The remaining diligence question is not whether the workflow exists; it is how consistently it performs at enterprise scale, across complex auth/session patterns, and under stricter deployment or data-handling requirements.[CE006, CE007, CE008, CE009, CE010, CE011]

5.3 Runtime, open-source assets, and roadmap velocity

Aikido's public GitHub surface is unusually important to the product story because it shows the company ships more than polished landing pages. The AikidoSec organization hosts dozens of repositories, with Safe Chain and the multi-language Zen runtimes acting as concrete proof that the company invests in developer tooling, not just centralized dashboards. Opengrep strengthens that argument by giving Aikido an open static-analysis engine and consortium-backed governance story. Together, those assets make Aikido look more like a workflow platform with extensible technical building blocks than a purely closed-box scanner vendor. Roadmap velocity, however, is increasingly being defined by offensive testing and autonomous remediation. Independent 2026 coverage and Aikido's own materials show a strategic push into AI pentesting and the Infinite release-loop concept, reinforced by the Allseek and Haicker acquisition and fresh Series B funding. That direction is promising and strategically coherent with the rest of the stack, because Zen, OpenAPI generation, and scan context can all feed a richer exploit-validation workflow. But it is also the least mature part of the public product narrative. The core code and cloud modules appear established; the self-securing-software claims still need more independent benchmark and deployment evidence.[CE015, CE016, CE017, CE018, CE019, CE020]

5.4 Trust controls, reporting, and remaining risks

Public trust materials are strong enough to support enterprise relevance but not strong enough to close every diligence question. Aikido says it is ISO 27001:2022 and SOC 2 Type II compliant, runs annual pentests and a bug bounty, uses read-only access by default, avoids storing customer code after analysis, and keeps AI handling inference-only without training on customer data. Documentation also shows reporting is a first-class output surface rather than an afterthought: security audits, trends, runtime/framework, SLA, team-comparison, malware, SBOM, VEX, and compliance-style outputs are all productized. For many buyers, that combination of workflow coverage and trust messaging will be compelling. The remaining risks are concentrated in depth rather than breadth. Reviews still surface API and reporting limitations, some packaging friction, and occasional false positives. Trust-center language around FedRAMP remains in-progress rather than achieved. Zen's telemetry boundaries, large-scale runtime performance, and Infinite's benchmark methodology are not yet exposed at the depth a highly regulated buyer or strategic acquirer would want. The practical underwriting conclusion is that Aikido looks mature enough on the core platform and unusually strong on workflow fit, but newer offensive-testing and enterprise-trust claims should still be diligenced with primary materials rather than accepted at face value.[CE025, CE026, CE027, CE028, CE029, CE030]

6.1 Customer segment mix and who pays, uses, and benefits

Aikido’s visible customers are not random logos. The public customer surface spans startup, scaleup, enterprise, and multi-company rollout contexts, but it is overwhelmingly software-led and engineering-owned. The people quoted in customer stories are CTOs, CISOs, VP Engineering, platform leaders, DevSecOps engineers, security engineers, and developers rather than procurement officers. That matters because it suggests the product wins where the buyer wants a unified workflow tool that developers will actually use. The customer-stories index explicitly spans Startup, Scaleup, and Enterprise, while fetched stories cover HealthTech, HRTech, LegalTech, HospitalityTech, SecurityTech, Manufacturing, education, and portfolio settings. Enterprise fit is also supported by the published enterprise plan sized for 2,000 repos, 1,000 containers, 100 cloud accounts, and 500 users plus multi-tenant and on-prem options. The caveat is denominator discipline: Aikido publicly alternates between organizations, developers, and teams, so breadth is obvious but exact customer mix is not.[CU001, CU004, CU005, CU006, CU007, CU008]

6.2 Adoption trajectory and denominator discipline

Public adoption trajectory is strong but messy. A May 2024 company post said Aikido had over 3,000 organizations and 6,000 individual developers within a year of launch, while TechCrunch independently reported roughly 3,000 small-to-midsize customers around the same fundraise. By January 2026, Aikido and multiple news outlets were saying the product was used by more than 100,000 teams and that the customer base had more than tripled over the prior year. Those are powerful growth signals, but teams are not the same thing as paying organizations, and neither measure tells us seat count, ARR mix, or free-versus-paid distribution. The better-underwritten part of the trajectory comes from deployment surfaces: Visma at 200+ portfolio companies and 6,000 developers, Oviva at 75+ developers and 200+ repos in weeks, AutoStore at about 100 repos and 100 developers, HeyJobs across 95 repos plus 31 registries and 9 clouds, and Render across roughly 30 repos and 50 developers. The conclusion is clear real adoption, but with unresolved denominator drift.[CU001, CU002, CU003, CU004, CU011, CU012]

6.3 Named customer proof and measured outcomes

Named customer proof is the chapter’s strongest evidence set because Aikido publishes more than a logo wall. Several stories expose operational numbers or concrete outcomes. n8n reports 92% noise reduction and a structured SLA process for 21-day high-severity findings. Supermetrics reports 75% noise reduction. Pathful says total issues fell 60% in two weeks. Petrosea says the fastest fix happened five seconds after detection and compliance-reporting time fell at least 80%. Birdie reports issues can be fixed in 30 seconds, while Simployer says developers now fix issues in under a minute. Visma, Oviva, AutoStore, Render, and HeyJobs add the scale layer: thousands of developers or hundreds of repositories rather than a single sandbox deployment. Even Smartendr’s AI pentest story is useful because it shows Aikido in a due-diligence and audit context, with 54 validated findings and automatic retesting. The limitation is that almost all of this proof is Aikido-authored, so it underwrites product usefulness better than renewal durability.[CU011, CU013, CU014, CU015, CU016, CU017]

6.4 Satisfaction proxies and durability gaps

Durability is the weak spot in the public record. Independent review surfaces are directionally positive: G2 shows 4.6/5 across 139 reviews, TrustRadius shows 8.1/10 across 2 reviews, FeaturedCustomers enumerates 46 reviews and testimonials plus 35 case studies and 5 videos, and SourceForge lists 6 user reviews with a 5.0/5 score. Those are real signals that users like the product and that public reference density is respectable for a young security vendor. But the adverse read matters too. G2’s summary says pricing can feel steep for smaller businesses, and individual reviews ask for deeper customization, better large-enterprise reporting, and cheaper pentest pricing. More importantly, none of the fetched public sources disclose exact current paying organizations, NRR, GRR, gross churn, logo churn, contract duration, or top-customer concentration. Repeat-usage proxies exist—n8n checks the feed at least five times a week, Render embeds regular reporting into operations, and Jurimesh pushes continuous evidence into Vanta—but they are still proxies, not auditable retention metrics.[CU031, CU032, CU033, CU034, CU035, CU036]

6.5 Expansion loops and concentration risk

The expansion story is convincing even without retention disclosure. Public proof repeatedly shows Aikido replacing scattered stacks: Prove collapsed six AppSec tools into one platform; Go Autonomous switched from Snyk after a 1,000-plus vulnerability backlog; Render consolidated DAST and SAST; HeyJobs replaced a sprawl of dependency and alert tools; and Visma emphasizes predictable pricing and portfolio rollout. Integrations into GitHub, GitLab, Azure DevOps, CI/CD, Slack, Jira, Linear, PagerDuty, and Vanta make the product part of everyday work, which is the clearest visible stickiness vector. Enterprise features—multi-tenant portal, local deployment, security reports, and higher repo/container/cloud-account ceilings—support upmarket expansion. The central risk is that the public customer set is still curated and software-heavy. Aikido clearly has real customers; what public materials do not reveal is how much ARR sits in the largest accounts, how much usage is free versus paid, or whether expansion is broad-based versus concentrated in a handful of large engineering organizations.[CU025, CU026, CU027, CU028, CU029, CU040]

6.6 Exhibits

7.1 Regulatory, privacy, and procurement risk

Aikido’s main legal risk is not an obvious active lawsuit or regulator action; it is the gap between what the public packet proves and what regulated buyers may demand. The company’s public legal surface is credible but incomplete: the privacy policy explicitly uses GDPR as the benchmark, the terms identify a Belgian legal entity, and the trust center plus compliance docs show a serious effort to package evidence for security reviews. But the same retained surface also shows limits. The public site terms are not tailored to HIPAA, FISMA, or GLBA interactions, and the packet reviewed here does not itself surface a customer DPA, subprocessor register, or detailed incident commitments. That does not mean those materials do not exist privately; it does mean the public legal surface alone is not enough to underwrite a regulated-enterprise expansion case. The timing risk is rising because Aikido does not just sell generic AppSec anymore. Its documentation explicitly markets compliance pages for NIS2, DORA, GDPR, and other frameworks, while its SCA marketing now ties SBOM output to CRA readiness. That positioning can accelerate sales, but it also makes the product and trust team accountable for audit-grade mappings, not just good UX. If Aikido cannot substantiate those mappings during customer diligence, procurement cycles could lengthen, regulated opportunities could stall, and customer trust could break precisely where the company is trying to move up-market.[CR004, CR005, CR006, CR007, CR009, CR010]

7.2 Platform and dependency risk

Aikido’s product is intentionally low-friction: API based, read-only by default, and tightly connected to source-control, cloud, CI, and workflow tools. That is commercially attractive because it reduces deployment pain and helps customers get value quickly, but it also creates a concentrated dependency map. GitHub state determines onboarding and access sync; cloud permissions determine CSPM visibility; PR gating depends on upstream SCM hooks; and the SCA story depends partly on third-party intelligence such as NVD, GitHub Advisory, and other feeds. When the company says it is ‘agentless’ and up in minutes, it is also saying that external platforms are a material part of the control plane. Mitigants are real. Trust-center materials emphasize ephemeral code handling, default read-only scopes, and local scanning options for privacy-sensitive environments. Zen Firewall adds runtime protection and broad language support, and PR gating plus CI/API paths provide alternatives to a single workflow. Still, the operating model imports partner risk directly into product reliability. Permission changes, API-rate limits, or feed-quality problems can degrade coverage before Aikido itself ships a line of code. The local-scanning path also comes with a clear trade-off: privacy-sensitive buyers can keep code local, but the public docs say those accounts do not get UI AutoFix, which means one of the product’s flagship productivity claims does not travel cleanly to every deployment mode.[CR001, CR002, CR003, CR015, CR016, CR017]

7.3 Market-fit and operational execution risk

The official and independent customer record is directionally positive, but it still leaves execution risk. Official customer proof shows migrations away from a long list of incumbent point tools and repeatedly highlights noise reduction, fast onboarding, and rapid remediation. Pricing-page quotes even argue that Aikido responded quickly during the 2025 NPM supply-chain attacks, which is exactly the kind of behavior enterprise buyers want to hear. But independent evidence is thinner than the official story. Capterra’s review counts remain small, PeerSpot explicitly frames the product toward non-enterprise SaaS teams of 10-500 developers, and TrustRadius includes a reviewer request for agent-based infrastructure reporting that Aikido does not currently provide. That mix matters because Aikido is trying to compress many categories—SAST, SCA, IaC, malware, cloud, compliance, and runtime—into one opinionated workflow. If the product is too shallow for larger or more customized environments, the same breadth that helps SMB and mid-market adoption can become an enterprise-depth objection. The public status page adds only limited comfort here because it currently exposes a website uptime view rather than a richer component map for the entire platform. As a result, the residual risk is not that customers reject the developer-first thesis outright; it is that Aikido’s most compelling claims are easiest to prove in faster-moving engineering teams and hardest to prove in the slowest, most regulated procurement contexts.[CR008, CR027, CR028, CR029, CR030, CR031]

7.4 Thesis-break triggers and mitigation

The investment case only works if Aikido keeps the simplicity of an API-first developer product while gradually satisfying more demanding enterprise and regulated-customer requirements. Public mitigation evidence is decent: no-code-storage claims, read-only defaults, local scanning, runtime firewall options, yearly pentests, bug bounty coverage, customer-facing compliance reports, and enterprise-support packaging all point in the right direction. But those are building blocks, not proof that the company has fully crossed into audit-grade, highly regulated software assurance. The biggest underwriting mistake would be to confuse breadth of surfaces with depth of execution. Thesis-break triggers therefore need to focus on observable transmission channels. If Aikido cannot produce fuller privacy and contracting artefacts when asked, loses deals because local or on-prem buyers cannot match hosted workflow capabilities, sees review quality deteriorate around customization or infrastructure telemetry, or suffers partner-driven blind spots after API or permission changes, the downside will show up quickly in bookings quality and valuation support. Conversely, if the company starts landing more referenceable regulated customers, maintains strong response credibility during supply-chain events, and closes the hosted-versus-local parity gap, much of today’s risk premium can compress. The residual view today is medium-high: credible mitigations exist, but several of the hardest diligence questions still resolve to private evidence rather than public proof.[CR003, CR005, CR007, CR008, CR013, CR026]

8.1 Investment Thesis and Anti-Thesis

The positive case for Aikido is straightforward. The company is clearly not a zero-traction story: the January 2026 Series B established a $1 billion mark, management says the platform serves 100,000+ teams globally, and both the official Series B post and third-party coverage say revenue grew 5x while the customer base more than tripled over the prior year. The product thesis is also coherent. Aikido positions itself as a unified code-to-cloud security platform, and its earlier Series A messaging emphasized a freemium, self-service, developer-led motion. If that model truly combines high product breadth, low-friction onboarding, and efficient expansion into enterprise and AI pentesting workflows, Aikido could still grow into a premium valuation. The anti-thesis is stronger than the public bull story admits. The best public ARR datapoints come from ARR Club rather than management, and they imply that the $1 billion mark rests on an estimated 40x-100x ARR band. Filing-derived evidence shows the Belgian entity was still loss-making through FY2025, while the most important underwriting variables—consolidated revenue, gross margin, NRR, burn, debt, and liquidation preferences—remain unavailable. In other words, public evidence confirms growth and funding, but not enough operating quality to justify paying the current mark with conviction. [CV001, CV003, CV005, CV007, CV011, CV012]

8.2 Recommendation, Confidence, and Valuation Stance

Recommendation for new money is TRACK / RESEARCH MORE. The company itself may be high quality, but the current valuation is not yet sufficiently anchored by public evidence. Aikido's $1 billion post-money round can be rationalized only under optimistic assumptions: that ARR was already closer to the $25 million ARR Club signal than the lower $10 million January signal, that growth remains very high through 2027, and that the business ultimately carries software- like gross margins rather than a heavier blended support and services profile. Confidence is medium-low because the core arithmetic depends on estimated ARR and proxy public multiples rather than audited management disclosure. Risk rating is high. If Aikido is already at $25 million ARR and can continue compounding, the current mark may eventually look merely aggressive. If the round closed closer to low-teens ARR, however, the price is above almost every observable public cyber multiple other than CrowdStrike. For existing insiders, holding can still be rational because the company now has fresh capital and momentum. For outside investors using only public evidence, the current mark should be treated as stretched. [CV011, CV012, CV022, CV023, CV024, CV034]

8.3 Financing Context, Public Support, and Preference Overhang

Publicly, Aikido's financing history is strong but incomplete. The retained record supports a path from €5 million seed funding in late 2023 to a $17 million Series A in May 2024 and a $60 million Series B in January 2026, plus approximately €2 million of early convertible funding. That is enough to show credible investor demand and a capital base around $85 million. It is not enough to model downside precisely. The public record does not disclose the full cap table, preferred liquidation stack, anti-dilution mechanics, or whether any secondary liquidity was included in the latest round. Filing-derived evidence is directionally useful but not underwriting-grade. The Belgian BV entity had €18.2 million of assets and €14.7 million of equity at FY2025 year-end, yet also a negative gross margin and operating loss. The UK entity only appears in April 2026 filings with subsequent share-capital and accounting-period changes. That combination suggests the company is still building out its legal and reporting perimeter while scaling internationally. Investors can therefore say that Aikido is well financed. They cannot say, from public evidence alone, how much downside protection exists for common holders or late secondary buyers. [CV002, CV004, CV006, CV007, CV008, CV009]

8.4 Bull, Base, and Bear Scenarios

The scenario spread is unusually wide because the starting inputs are unusually uncertain. The bull case requires more than good execution; it requires Aikido to remain an outlier. In that case, ARR reaches roughly $80 million to $100 million by 2027, AI pentesting and enterprise upsell deepen monetization, and the business retains an 18x-20x premium multiple. That yields a valuation band of roughly $1.4 billion to $2.0 billion. It is possible, but it only barely clears the return hurdle for a new investor entering at $1 billion. The base case is much less flattering. If growth remains strong but normalizes, ARR may land in the $45 million to $60 million range and the market may assign only a 10x-12x multiple, which implies $450 million to $720 million of value. The bear case is harsher still: $25 million to $35 million of ARR at 5x-7x gives $125 million to $245 million. Those outcomes are not extreme if public metrics remain thin, bundling pressure rises, or the business proves to have lower gross margins than software-first investors expect. The key point is that the current price only works if Aikido remains an outlier for several more years. [CV029, CV030, CV031, CV032, CV033, CV040]

8.5 Comparable Company Set and Relative Valuation

The comparable set splits into three analytical layers. First are direct public software-security and DevSecOps references: GitLab is the closest workflow-platform analog and trades at roughly 4.5x revenue, while Qualys and Tenable sit around 5.2x and 2.7x respectively. Rapid7, at roughly 0.6x revenue, is the cautionary floor for a security vendor that loses growth credibility. None of these companies is a perfect business-model match, but they are all useful in showing where normalized public cyber multiples settle once growth slows or product breadth is no longer rare. The second layer is premium public security software. Palo Alto Networks screens around 20.7x and CrowdStrike around 34.3x on current market-cap-to-revenue proxies. Those are the public ceilings, not the central case. The third layer is late-stage private security. Wiz's $12 billion round shows what the top-end private cloud-security benchmark looked like in 2024, and Snyk's combination of $300 million ARR and a most recent $7.4 billion valuation suggests a roughly 24.7x private AppSec benchmark. Against that set, Aikido's implied 40x-100x band looks expensive unless the company is already much closer to the top end of the ARR estimate range. [CV013, CV014, CV015, CV016, CV017, CV018]

8.6 Exit Readiness and Final Diligence Asks

Public evidence does not support an IPO-ready conclusion. Aikido has the ingredients of a strong private growth company—clear category positioning, recent capital, and visible momentum—but not the disclosure standard a public-market underwriting process would require. The most important missing items are consolidated ARR and GAAP revenue, software versus services gross margin, retention by cohort and tier, cap-table and preference detail, and customer concentration. Those are not minor reporting gaps; they are the core variables that would determine whether the $1 billion valuation is merely aggressive or fundamentally ahead of the business. That means the next diligence step is not better storytelling but better evidence. Management needs to show whether AI pentesting and unified code-to-cloud positioning are actually producing premium economics. If they are, the current mark may still compound. If they are not, the company is much more likely to face flat-to-down-round pressure before it ever reaches an IPO. On public evidence today, strategic optionality looks more plausible than near-term public-market readiness, and the diligence agenda should be built accordingly. [CV009, CV024, CV028, CV036, CV037, CV038]

8.7 Exhibits