Share your experience using Continuous Dynamic (formerly WhiteHat Dynamic)

I used Aikido Security at my previous organization for almost two to three weeks because we had to achieve SOC 2 compliance for our current codebase.

The main use case for Aikido Security was to resolve the vulnerabilities in the packages we were using. I wanted to remove the vulnerabilities from them and update to the latest stable version. A couple of code changes along with package changes were also involved.

Aikido Security helped me with the vulnerabilities and package updates through a simple workflow where I just had to open Aikido Security dashboard, connect my GitHub account, select the repository and scan it. After scanning it, Aikido Security would raise a PR for each vulnerability, specifying what those vulnerabilities were. I would then merge the PR, and it would also run the test cases that I already had attached to my codebase.

Regarding my main use case with the workflow, the process was straightforward. However, there was one minor issue that I faced. When I had a UUID for an object in the code, Aikido Security was considering it as a secret key, which it was not. This was a false positive alarm, but it was not a major issue and merely feedback I wanted to provide.

The best features Aikido Security offers include instantly raising PR by just identifying the vulnerabilities.

When I say instant raising of PR, it helped my workflow by making the process super easy and quick. Initially, I thought I would need to pick the right vulnerability from the internet, update my codebase accordingly, and then ask an engineer to do it. This usually takes about three or four days for one vulnerability, and maybe a week for a bunch of vulnerabilities. However, with Aikido Security it took me two to three hours.

Aikido Security has positively impacted my organization significantly because initially we were thinking it would take a month for us to achieve SOC 2 compliance again. With Aikido Security, we were able to get all codebase vulnerability fixes within a week for all our 13 or 14 repositories that we had.

To improve Aikido Security, the main thing I would suggest is regarding the UUID that was being flagged in the codebase. I had a certain object with a UUID that was being considered as a private secret key or API key, which was not the case. It was a false positive alarm, and if Aikido Security solves that, then it will be perfectly fine.

I have been using Aikido Security for around two to three weeks.

Aikido Security is stable.

Aikido Security is pretty scalable. We did not encounter any problems, so it worked seamlessly for us.

I did not previously use a different solution.

Before choosing Aikido Security, we tried GitHub Copilot and observed how the GitHub Copilot agent performed. It did a horrible job, so we moved to Aikido Security.

I have seen a return on investment with time saved. We needed fewer employees because of that as well. We got SOC 2 compliant very fast with Aikido Security. We were expecting to complete the compliance in a month, but I figured out Aikido Security could do it within a week for all our 13 repositories.

My advice for others looking into using Aikido Security is that you should give it a try. Aikido Security will resolve all your vulnerabilities quickly, and if you have test cases already written in your branch, it will do a pretty good job. I would rate this solution a 9 out of 10.

Aikido Security has been in use for a little over a year, starting as a security initiative from the engineering side because code was scattered across multiple repositories, making CI/CD pipeline and security fixes a significant problem.

The main use case for Aikido Security is application security across the development life cycle, primarily for dependency vulnerability scanning, secret detection, and container image scanning, as the goal was not just finding vulnerabilities, but releasing the backend for different developers while still delivering.

Organization security has improved, with the security team now being more proactive since issues are surfaced earlier, eliminating the large backlog of issues for the team to process.

The improvement in organization security is marked by faster remediation, as vulnerabilities that sat in backlogs for weeks due to unclear ownership are now easily identified and assigned much earlier. While incidents have not completely disappeared, there are fewer last-minute security findings before releases, and development teams are much more confident about what needs immediate attention versus what can be scheduled later.

Standout features of Aikido Security include secret detection, data-driven prioritization of findings, container scanning, and a consolidated security dashboard.

The biggest win with Aikido Security was reducing context switching, as developers previously received vulnerability reports from multiple tools and tried to figure out ownership manually. Now most findings are visible in one place. For example, one issue went unnoticed for weeks, but we are now addressing it in active development, reducing the number of security issues discovered last minute in testing. The secret scanning feature caught a couple of accidentally committed credentials early on, such as an AWS API key committed to a repository, which would have eventually been found during a review, but catching it automatically was definitely a win. Additionally, onboarding new repositories is very straightforward compared to some enterprise security products that have been used.

The biggest challenge with Aikido Security initially was the alert volume, as connecting everything could result in hundreds or thousands of findings. Prioritization helps, but there is still work involved in deciding what should be fixed first. Deeper customization around policies and reporting would be beneficial, since some organizations have specific compliance requirements and the customization can feel limited compared to larger, enterprise-focused platforms.

The documentation for Aikido Security is generally good for setup, but more details in troubleshooting scenarios would be helpful. There were times when a finding was generated that the developer did not fully understand. More real-world examples explaining why a finding was generated and how to verify it would help, along with additional FAQs or troubleshooting guides.

I have been working in this field for about two years.

Aikido Security has been stable, and there have been no major outages affecting workflow. There were occasional delays in scan updates, but nothing that blocked releases.

Scalability with Aikido Security has been good, as new teams continue to be added without significant performance issues. Most scaling challenges are organizational rather than technical, ensuring ownership and remediation processes stay clear.

Customer support has been contacted a few times and responses have been generally quick, usually within a business day. The interaction felt technical rather than scripted, which was appreciated. Most issues were resolved through documentation links, configuration guidance, or clarification around findings.

Previously, a mix of open-source scanners and native platform tools were used. The issue was not that they were bad, but the fragmentation caused problems, with everyone having different dashboards, reports, and alert formats. This led to the desire for something that centralized visibility without creating additional administrative overhead.

The setup cost was easier than expected, with pricing feeling reasonable compared to some larger platforms that were evaluated. The bigger cost was licensing if it involved developer time spent reviewing the initial backlog of findings.

The return on investment has come mostly from operational efficiency, as consolidating much of the workflow, previously involving maintaining separate tools for dependency scanning, secret scanning, and code scanning, has saved somewhere between 10 to 15 engineering hours per week across teams handling security reviews manually.

Before choosing Aikido Security, options such as GitHub Advanced Security, Mend.io, and Snyk were evaluated. Each had strengths, but Aikido Security felt simpler to deploy and easier for developers to adopt without extensive training.

Advice to others looking into using Aikido Security is to avoid connecting everything at once, as more findings than expected will likely be uncovered. Starting with critical repositories, establishing a remediation process, and defining ownership early can prevent teams from getting overwhelmed by the alert volume. Also spend some time tuning the policies before rolling it out company-wide.

Integrating Aikido Security as a single tool reduces much manual effort that used to occur around vulnerability management. The overall review rating for Aikido Security is 8 out of 10.