Aikido Security is pushing automated security testing earlier in the release cycle with Code Audit, a new source-code analysis product that Aikido says sits between conventional static application security testing and a human penetration test.
The product, described in a June 16 launch post by Aikido's Shaun Brown and updated June 19, is built around a specific gap in application security: vulnerabilities that do not look like vulnerabilities when viewed one line at a time. Aikido says Code Audit follows references across files and modules, reasons about the surrounding application logic, and returns findings with root cause, code-based evidence, and an AutoFix that can generate a pull request.
That positioning matters because it shows where Aikido wants to take the security platform it has been assembling. Aikido is not only selling scanners. It is trying to turn vulnerability discovery, triage, remediation, and retesting into a loop that happens inside engineering workflows, before code reaches production.
Aikido's own about page says the company was started because its team found the security tools they used "slow, confusing, overpriced and noisy." That thesis is visible in Code Audit: the team has spent Aikido's first years bundling code, cloud, runtime, and offensive testing into one product line, then using AI to reduce the handoff cost between detection and fixes.
What Aikido says Code Audit changes
Aikido is careful not to call Code Audit a replacement for SAST or pentests. Its argument is narrower and more useful: SAST is good at matching known rules during development, while pentests are better at reasoning through exploit paths but usually depend on a live environment, valid credentials, scope boundaries, and later-stage timing.
Code Audit works on static source code rather than a running app. According to Aikido, that means it can review multiple repositories, feature-flagged code paths, undeployed changes, and admin-only routes that a live test may not safely exercise. Aikido also says the product can be used beyond web applications, including mobile apps, smart contracts, and legacy codebases where rule coverage is thin.
The launch post gives the example of a multi-step insecure direct object reference chain spread across three files. No single line necessarily triggers a pattern-based rule. The issue appears only after tracing the reference, noticing the missing authorization check in context, and connecting the steps into an exploit path. Brown also points to ReDoS patterns detected from source without live exploitation and admin-only routes missed by live pentests because testers lack valid credentials.
That is the real bet. Aikido is not promising that every vulnerability has a signature. It is betting that agentic code analysis can make more of the reasoning work repeatable, cheap enough to run before release, and integrated enough that developers accept the output.
The benchmark claims still need scrutiny
The strongest numbers in Aikido's launch post are also the ones that deserve the most careful reading. Aikido says that, based on internal testing and early users, Code Audit covers roughly 70% to 80% of what a full pentest engagement surfaces, at around 10x lower cost. It also says early users found a median of about 25 security issues per codebase and that zero audits came back clean.
Those are company-supplied benchmarks. Aikido does not disclose the sample size, the application types tested, the severity distribution of the issues, how it defined a comparable pentest engagement, or whether the findings were independently validated. For buyers, that missing methodology matters as much as the headline percentage.
Still, the commercial logic is clear. A traditional pentest is constrained by time, access, scope, and environment readiness. If Aikido can reliably catch even a meaningful subset of logic bugs before release, it gives security teams a way to reserve human pentesting for validation, high-risk surfaces, and judgment calls rather than first-pass discovery.
The timing claim is just as important as the coverage claim. Aikido argues that finding a vulnerability before release means the developer who wrote the code still has context and can fix it as a normal code change. Finding the same issue after production creates a remediation cycle, interrupts another project, and turns the security team into a blocker. That is the developer-first argument Aikido has been making since its early days, now applied to pentest-style reasoning.
A unicorn trying to justify the platform thesis
Code Audit lands five months after Aikido announced a $60 million Series B at a $1 billion valuation, led by Tom Stafford at DST Global with participation from PSG Equity, Singular, Notion Capital, and others. SecurityWeek also reported that the round brought Aikido's total funding to more than $84 million and named DST Global as lead, with PSG Equity, Notion Capital, and Singular participating.
The round put pressure on Aikido to show that its platform is more than a dashboard that consolidates scanners. Code Audit is one answer: a product that uses the code context Aikido already ingests and extends it into the gray zone between static checks and offensive testing.
Aikido says its broader platform now covers code security, open-source dependency scanning, secrets detection, malware detection in dependencies, infrastructure-as-code scanning, cloud posture management, container and Kubernetes image scanning, AI pentests, runtime protection, and bot protection. The company also advertises AutoTriage and AutoFix features that use code and infrastructure context to reduce noise and generate reviewable fixes.
That breadth can be an advantage if the products share context. It can also become the usual platform trap: a long feature list that looks complete on a pricing page but leaves customers wondering which products are best-in-class. Code Audit is interesting because it does not merely add another checkbox. It tries to exploit a structural advantage of a unified platform: the more source, dependency, infrastructure, and runtime context Aikido has, the better its automated reasoning should become.
Why this is happening now
Aikido frames the launch around increasingly capable AI agents finding and chaining vulnerabilities. The post includes claims about a recent Anthropic model release and withdrawal, but those claims are not independently verified and should be treated as Aikido's narrative setup rather than a verified account.
The underlying pressure is easier to verify from the product strategy itself. AI-assisted development is increasing the amount of code teams can produce. Security teams are being asked to review faster-moving codebases without proportionally larger headcount. Rule-based scanners help with known patterns, but business-logic flaws, authorization gaps, workflow abuse, and cross-file exploit chains are harder to reduce to signatures.
That is why Aikido is aiming Code Audit at moments just before release or after a major feature lands. The product is not trying to replace the entire security review process. It is trying to make one expensive, late, human-heavy part of that process available earlier, from source code, with a fix path attached.
The unanswered question is whether Aikido can keep the signal high enough for developers to trust it. A security product that finds 25 issues per codebase is valuable only if those issues are real, prioritized, and actionable. A developer-first company lives or dies on that trust. Code Audit is Aikido's latest attempt to prove that automated security can be useful without becoming another noisy queue engineers learn to ignore.