Hey Alejandro! What does Apheris do, and what’s your role?

Apheris powers federated life sciences data networks, addressing the critical challenge of accessing proprietary data locked in silos due to IP and privacy concerns. Our product is a federated computing infrastructure with governance, security and privacy controls, enabling life sciences organizations to collaboratively train higher quality models on complementary data from multiple parties. We're a relatively small team (around 25 engineers) which allows us to stay agile, try new things, and be early adopters of technologies like Aikido.

I'm Alejandro and I’m leading security, privacy, and IT at Apheris. With 12+ years in the field, I’ve gone from large organizations like Cisco, Rackspace, and Auth0 to the startup world, where I build security, privacy, and compliance programs (and the teams behind them) from the ground up. My focus spans cloud and application security, infrastructure as code, automation, and keeping systems resilient and data private.

I’m based in sunny Alicante, Spain. When time permits, I still enjoy getting hands-on: writing code, tuning detections, and building internal tools. Lately, I’ve been diving into AI and automation, introducing governance-friendly agents to streamline security and IT workflows and make our stack a little smarter (and a lot more efficient).

What kind of pressure do your customers put on your security and compliance practices?

A lot. And for good reason. We're dealing with healthcare data and selling into some of the most regulated industries on the planet. For one enterprise deal, the customer asked us to undergo four independent penetration tests before signing. That’s over €100K spent on their side just to start the conversation.

“I’ve never seen this level of scrutiny before signing a contract. There’s no room for shortcuts.”

Security is embedded into our product and processes from the beginning. We’re ISO 27001, SOC 2 Type I and II, GDPR compliant, and we built a Trust Center so customers can easily see our posture without needing to email back and forth. It’s all about building trust, quickly.

How were you handling security and compliance before?

Our setup was pretty typical for a fast-moving team: fragmented and lacking centralization. We relied on a mix of open source tools for secret scanning, Snyk for container security and dependency management, and Detectify for web application scanning. Each tool served a purpose, but the lack of cohesion meant we had to spend significant effort keeping everything stitched together with lots of duct tape and elbow grease (laughs).

“We had this overhead of a small team maintaining several open source tools. It was a pain.”

Each tool served a purpose, but none of them worked together. Secret scanning was noisy and difficult to manage across repos, container scanning was tough for engineers to act on. Even basic compliance tasks like collecting evidence or tracking SLAs were fragmented.

For example, Snyk’s output was hard to act on, especially for engineers that need to know about different tools and interact with them in different ways. Even with our Github infrastructure as code, keeping these tools up-to-date and functional became a time drain.

“If I, as a security engineer, have to spend time deciphering findings, how can I expect our engineers to act on them? They’ll just ignore it.”

What was the compliance evidence collection process like before combining Aikido with Vanta?

Painfully manual. Policies were stored in SharePoint. Onboarding and offboarding were tracked separately. Pulling together audit evidence required jumping across multiple tools and spreadsheets.

“Manual, manual, and more manual. Every audit cycle created drag on the business.”

We lacked a unified view of vulnerabilities, inventory, vendor risk, you name it. And for a small team, this kind of operational friction can really slow things down when it matters most

How would you describe the role technology now plays in supporting your security & compliance posture?

The difference is night and day. Security became invisible to most developers, and that’s a good thing. 

Aikido made it easy for engineers to see and resolve issues without bouncing questions back to the security team. Every repo has relevant, actionable insights. It’s easy for engineers to self-serve and resolve issues, without needing me to translate security reports for them. No guesswork. No PDFs to interpret. Integrations on pull requests and also IDEs are a blast.

Aikido and Vanta together give us both visibility and automation. Aikido continuously scans for issues and feeds real data into Vanta. That includes:

• Vulnerability and patch SLA tracking
• Malware detection
• Change management
• Base configuration validation (via Terraform & IaC)
• GitHub policy enforcement
• And automated security awareness training

“Now we can show how we're meeting SLAs and controls, without manually compiling reports.”

Vanta then acts as our single source of truth for audits, customer reviews, and internal GRC oversight. It ties everything together with evidence that’s audit-ready and actionable.

What stood out when evaluating both tools?

For Aikido: it was the ease of rollout and dev-friendliness. We expected a painful transition, but had it running across repos in under a week. Aikido covers a lot of what we need right out of the box. Many of the open source tools we were already using were integrated into the platform, which made things feel familiar and reduced our migration overhead. Thanks to our GitHub setup-as-code approach, we were able to roll it out across repositories in just a few days, much faster than we initially anticipated.

“Based on prior experience, we expected a slow transition. Instead, we migrated everything in a week, without disrupting anyone.”

For Vanta: it was the breadth of automation and how quickly we could reduce manual evidence collection. The integrations with Aikido, Microsoft Defender, GitHub, and others made it the right fit to centralize compliance.

Together, they reduced both effort and risk. We gained visibility, reduced noise, and moved to a setup that doesn't require a full-time person to babysit it.

Can you share a moment when Aikido and Vanta saved you time or stress?

Definitely. Aikido's Team Comparison Report gives us a great lens into how different teams are performing, and we even post the report in Slack. It’s not about competition, per se, but it definitely gamifies security in a healthy way.

That said, AutoFix also stands out. Not just for what it does, but how quickly the Aikido team acted on our feedback. At first, our PR standards blocked Autofix from running properly as we do mandate tight pull request standards such as PR title or commit messages. Within weeks, the team had added support for our specific setup.

We came from Enterprise solutions that are unresponsive to customer feedback (as we are a small shop), require long window support tickets even for tiny matters and you only hear from your account managers just before the renewal cycle.

“The team took our feedback and shipped a fix within weeks. That kind of responsiveness matters.”

On the Vanta side, having security signals from Aikido flowing into our compliance dashboards means we no longer scramble for answers when customers ask, “How do you manage vulnerabilities?” It’s already there, with context and SLA tracking.

And finally: how would you sum up Aikido and Vanta’s impact?

“Aikido and Vanta give us peace of mind. Security and compliance are covered, so our engineers can focus on building.”