AI Pentesting

Aikido Security Features in 2026: An Honest Breakdown of What Each Module Actually Does

 Ninad Pathak - Tech Author
Ninad Pathak

Organic Growth

Aikido Security is a unified application security platform that groups its scanners into four product pillars, Aikido Code, Aikido Cloud, Aikido Attack, and Aikido Protect. Those pillars span source code, cloud infrastructure, and runtime.

The lineup folds in SAST, SCA, secrets, IaC, container and cloud scanning, DAST, AI pentesting, and a runtime firewall. One login covers code to production (aikido.dev, as of July 2026).

That is the marketing version. The rest of this piece walks each module with the scope notes and plan gates pulled straight from Aikido’s own pages.

Aikido Security homepage showing the secure everything devs build ship and run headline with the four product pillars code, cloud, attack, and protect

TL;DR: Aikido’s strength is breadth. It consolidates roughly a dozen scanners across code, cloud, and runtime into one platform, with noise-reduction claims and agentless cloud connection that hold up on its docs.

The trade-offs are also documented. Several headline features (VM scanning, attack-surface monitoring, malware detection) sit behind the Pro tier, the pentest bills per assessment, and there is no engineering-metrics module.

If you are weighing that breadth against developer-workflow depth, CodeAnt AI is a defensive and offensive security platform that unifies AI code review, SAST, and agentic pen testing, and it is the anchor this piece compares against.

Aikido Security Features at a Glance

Here is every core module, what it does, where it runs, and the one limit or plan gate worth knowing before you commit. Each row is sourced to an Aikido page and checked July 2026.

Module

What it does

Where it runs

Notable limit or plan gate

SAST + AI SAST

Static analysis for vulnerabilities in source

Repo, CI, IDE

Free tier, 20+ languages

Dependency scanning (SCA)

Flags CVEs in packages, ranks by reachability

Repo, CI

Reachability filtering on all tiers

Secrets detection

Finds exposed keys, checks if still live

Repo

Does not revoke, history scan is opt-in

IaC scanning

Misconfigurations in Terraform, K8s, Dockerfiles

Repo, CI

Pulumi marked “coming soon”

Container scanning

CVEs across 14+ registries, base-image fixes

Registry, CI

Needs registry credentials or CI

Cloud posture (CSPM)

Agentless misconfiguration audit

Cloud accounts

AWS, Azure, GCP, “select others”

VM scanning

Snapshot-based package scan

Cloud accounts

Pro plan and up

Surface monitoring (DAST)

Authenticated ZAP-based web and API scans

Live app

Non-destructive, endpoints need OpenAPI

AI Pentest

Autonomous agents that validate exploits

Live app plus code

Bills per assessment, from $4,000

Code Audit

AI reasons over source for logic flaws

Repo

Paid via Aikido credits

Malware detection

Aikido Intel feed plus Safe Chain

Dependencies, device

Pro plan and up

Zen runtime protection

In-app firewall, open source

Runtime

Free and open source

Device Protection

Blocks bad packages and extensions on laptops

Dev devices

Basic+, Linux due early Q3 2026

Code Quality

AI review and PR comments

Repo, PR

Basic plan and up

Takeaway: the free tier gets you the code and cloud scanners, and the differentiators (VM, surface monitoring, malware, device) start at Basic or Pro.

What Features Does Aikido Security Actually Include?

Aikido organizes everything under four pillars, and the dashboard mirrors that split. A single findings feed pulls results from every scanner into one list, sorted by severity and estimated fix time.

Aikido Security findings feed showing critical issues from SAST, dependencies, cloud, and containers in one severity-ranked list

Here is each module the way you meet it after connecting a repo, starting with the code scanners.

SAST and AI SAST

Aikido’s SAST feature reads the source code without running it and flags security and quality issues, then routes fixes to your IDE, inline PR comments, or an AI-generated pull request (aikido.dev/code/static-code-analysis-sast, July 2026). Coverage spans 20-plus languages, from JavaScript and Python to Java, C#, Go, Rust, and Kotlin.

An AI reachability engine triages findings, and Aikido states the rule-set is “optimised to reduce false-positives by 90%.” Harder fixes go to an agentic AI and simpler ones use deterministic workflows, each tagged with a confidence level.

Aikido Security SAST findings in the AutoFix view showing critical and high severity issues with file locations and confidence labels

Open-source dependency scanning (SCA)

The software composition analysis scanner checks the libraries you pull in and flags known CVEs, license risks, and other supply-chain issues. Its reachability analysis traces call chains from your code into third-party packages, which Aikido claims cuts 94% of the noise.

SBOM export covers SPDX, VEX, CycloneDX, and CSV, and you can import external SBOMs. AutoFix opens PRs with non-breaking version bumps, with an auto-merge option for critical CVEs.

Secrets detection

Secrets scanning looks for API keys, tokens, private keys, and database credentials across code, YAML, JSON, .env files, Terraform, and commit messages. Detection uses pattern matching, entropy analysis, and validation logic (aikido.dev/code/secrets-detection, July 2026).

Live Secret Detection checks whether an exposed secret is still active and adjusts the severity to match. Two limits are worth knowing before you lean on it.

The tool flags an exposed secret and guides you to rotate it, but it does not revoke the secret for you. Scanning git history is an opt-in setting rather than the default.

Infrastructure as code (IaC) scanning

IaC scanning inspects infrastructure definitions before deployment and catches public buckets, 0.0.0.0/0 security groups, unencrypted databases, and over-broad IAM. Supported formats include Terraform, CloudFormation, Kubernetes manifests, Helm, ARM/Bicep, and Dockerfiles (aikido.dev/cloud/infrastructure-as-a-code-iac, July 2026).

LLM-based autofix suggests and generates the remediation. One gap to note from the docs, Pulumi support is listed as “coming soon” rather than shipped.

Container image scanning

Container scanning detects CVEs in OS packages, end-of-life software, malware, and license risks across base images and Dockerfiles. It reaches 14-plus registries including ECR, Docker Hub, GCP, Azure, GitHub, GitLab, Quay, JFrog, and Harbor, and AutoFix can suggest a patched base image and open the fix PR (aikido.dev/code/container-image-scanning, July 2026).

Two limits are documented. The scanner needs registry credentials or a CI integration to reach your images, and embedded secrets or misconfigurations get handled by the separate scanners rather than this one.

Cloud posture (CSPM) and VM scanning

CSPM continuously audits cloud configuration for public buckets, permissive IAM, open ports, and missing encryption. It runs fully agentless over read-only API access, spanning AWS, Azure, GCP, and “select others like DigitalOcean” (aikido.dev/cloud/cloud-posture-management-cspm, July 2026).

Virtual machine scanning is snapshot-based, so Aikido creates a temporary VM snapshot, scans it for vulnerable packages and runtimes, then deletes it, with data staying in the same cloud region. VM scanning sits on the Pro tier and up, per the pricing page.

Aikido Security Clouds view showing a connected AWS production account with issue counts by severity

Surface monitoring (DAST)

Surface Monitoring is Aikido’s DAST, built on “a subset of safe OWASP ZAP scans” plus its own de-noising, running daily against your live apps and APIs. Authenticated DAST logs in as a real user to reach deeper flows and check JWT handling (aikido.dev/attack/surface-monitoring-dast, July 2026).

Aikido documents the scope plainly. The scans avoid destructive tests, need OpenAPI specs or manual config to find API endpoints, skip frontend-specific scans, and are positioned as monitoring rather than a replacement for a real pentest.

AI Pentest and Aikido Infinite

Aikido Attack runs hundreds of autonomous agents through Discovery, Exploitation, and Validation, and connecting your repos makes the test code-aware so agents understand roles and data flows. Every finding is validated before it reaches the report, and the system pauses before deeper escalation with an opt-in “Exploit Further” action (aikido.dev/attack/aipentest, July 2026).

Aikido Attack pentest module inside the app showing the aikido/attack projects screen with add-project and sample-report options

Reports export in four formats, from a management summary to a SOC 2 or ISO 27001-ready auditor PDF. Aikido Infinite extends this to continuous testing, triggering a scoped pentest on each deploy by analyzing the diff, billed at $16 per agent with agents running one to two hours.

Code Audit

Code Audit is the AI layer that reasons over source code rather than a running app, aimed at the flaws that pattern-based SAST tends to miss. It hunts IDORs, broken access control, race conditions, subscription-tier bypasses, and multi-step attack chains (aikido.dev/code/code-audit, July 2026).

Aikido positions it as a complement to SAST that catches deeper logic bugs. Access is paid through Aikido credits priced on repo size, and the docs note it needs source access and cannot test live deployed apps, where AI Pentest takes over.

Aikido AI Code Analysis screen inside the app showing the create-audit page and reasoning-based analysis cards

Malware detection and Safe Chain

Malware detection cross-references your dependencies against Aikido Intel, a live feed of malicious packages, and claims to flag threats days ahead of public databases. Safe Chain hooks into package managers to block a malicious dependency at install time across npm, PyPI, NuGet, Maven, and RubyGems (aikido.dev/protect/malware-detection-in-dependencies, July 2026).

One placement detail matters for planning. Malware Detection is a Pro-tier feature on the pricing page, so the free and Basic plans do not include it.

Zen runtime protection

Zen is Aikido’s in-app firewall, embedded in the application to block SQL and NoSQL injection, command injection, path traversal, and bot traffic at runtime, with user-aware rate limiting. Agents exist for Node.js, Python 3, PHP, Java, .NET, Ruby, and Go across named frameworks (aikido.dev/protect/zen, July 2026).

Aikido Zen Firewall view inside the app showing a Node.js demo app in blocking mode with request and attack counts over the last 7 days

Zen is open source and free to install, and you pay only when you upgrade the wider subscription. Bot Protection as a managed feature starts at the Basic tier per pricing.

Device Protection and Code Quality

Device Protection blocks malicious packages, IDE extensions, browser extensions, and AI-tool integrations at the developer’s machine, deploying through MDMs like Jamf or Fleet (aikido.dev/protect/device-protection, July 2026). Windows shipped, and the docs note Linux support arriving “by early Q3 2026.”

Code Quality adds AI PR review with inline comments, one-click fixes, summaries, and custom rules that learn from your team’s past PRs. It is language-agnostic across the same broad language list and lands on the Basic tier and up.

What’s Good About Aikido’s Feature Set?

The breadth is the strongest part. You get SAST, SCA, secrets, cloud posture, and a runtime firewall behind one findings feed with shared triage, so a single login replaces a stack of separate tools.

Aikido Security dashboard showing the issue summary, SLA insights, latest Aikido Intel advisories, and issue-type breakdown

Noise reduction holds up on the docs. Reachability analysis on SCA and AI triage on SAST both demote findings that are not exploitable, and Aikido publishes specific filtering numbers instead of vague ones.

Cloud connection stays agentless over read-only APIs, VM scanning uses disposable snapshots that stay in-region, and Zen ships as open source. Runtime protection then carries no license cost until you upgrade the wider plan.

AutoTriage groups duplicate alerts, and AutoFix ships fixes as reviewable pull requests across SAST, SCA, IaC, container, and pentest findings, covering 100-plus issue types (aikido.dev/code/autofix, July 2026).

Where Are the Limits?

None of this is a knock on the product. Each item is the documented reality of what costs extra and what sits out of scope, and the pattern is that the marquee features sit above the free line.

Here is how the plan gates fall, straight from the pricing page as of July 2026.

Capability

Free (Developer)

Basic ($350/mo)

Pro ($700/mo)

Advanced ($1,050/mo)

SAST, SCA, secrets, IaC, cloud

Included

Included

Included

Included

AI AutoFixes

10 per month

Unlimited

Unlimited

Unlimited

PR Security Review, Code Quality, Device Protection

No

Yes

Yes

Yes

SSO (SAML)

No

Yes

Yes

Yes

VM scanning, API fuzzing, attack-surface monitoring, malware detection

No

No

Yes

Yes

Broker for internal apps, private registry proxy, FIPS images

No

No

No

Yes

Takeaway: the free plan is a real scanning tier, but VM scanning, malware detection, and surface monitoring need Pro, and single-sign-on needs at least Basic.

A few scope notes matter as much as the price gates. The AI pentest bills separately from the platform, starting at $4,000 per standard assessment (with a “no High or Critical finding, don’t pay” guarantee), and Code Audit runs on a separate credit balance.

Feature availability has edges too. DAST needs OpenAPI specs to enumerate API endpoints and skips destructive tests, IaC has no Pulumi support yet, and Device Protection is Windows-first with Linux still pending.

One structural gap matters for engineering leaders. Aikido’s module list carries no engineering-metrics or DORA product, so throughput, cycle time, and delivery analytics are not part of the platform (checked across aikido.dev/platform and the pricing page, July 2026).

How Do Aikido’s Features Compare to CodeAnt AI?

CodeAnt AI is a defensive and offensive security platform that unifies AI code review, SAST, and agentic pen testing, and it overlaps Aikido on the shared security scanners while going deeper on the developer workflow. The two share SAST, SCA, secrets, IaC, cloud posture, container scanning, and code-aware AI pentesting.

The split shows up at the edges of each platform. Aikido reaches further into production assets, and CodeAnt AI reaches further into how code gets written, reviewed, and measured.

Capability area

CodeAnt AI

Aikido Security

Shared scanners (SAST, SCA, secrets, IaC, CSPM, containers)

Yes

Yes

AI code review as a first-class pillar

Yes, unlimited reviews, PR chat, custom rules

Code Quality module (Basic+)

Engineering and DORA metrics

Yes, dedicated pillar

Not offered

Code-aware AI pentest

Yes, white-box reads full codebase, free first scan

Yes, bills per assessment from $4,000

VM and host scanning

Not offered

Yes (Pro+)

Runtime firewall and device protection

Not offered

Zen and Device Protection

Pricing shape

Modular per pillar, pentest pays on findings

All-in-one tiers, pentest per assessment

Takeaway: pick Aikido for the widest asset coverage including VMs, domains, and a runtime firewall. Lead with CodeAnt AI when AI code review, code quality, and delivery metrics should live beside security in the developer workflow.

The full head-to-head lives in the CodeAnt AI vs Aikido Security breakdown.

Where This Leaves You

Aikido’s feature set is a wide, well-consolidated security platform, strongest when you are collapsing many tools into one and want coverage from code through cloud to runtime. The honest caveats are the Pro-tier gates on VM, malware, and surface monitoring, the separately billed pentest, and the absence of engineering metrics.

If developer-workflow depth and delivery metrics weigh as heavily as breadth for you, put CodeAnt AI on the same shortlist and read the CodeAnt AI vs Aikido Security comparison before you decide.

FAQs

What does Aikido Security do?

Is Aikido Security free?

What is Aikido Attack?

Is Aikido Security SOC 2 and ISO 27001 compliant?

Which languages does Aikido's SAST support?

Table of Contents

Start Your 14-Day Free Trial

AI code reviews, security, and quality trusted by modern engineering teams. No credit card required!

Share blog: