How Apheris replaced fragmented security tooling in under a week

Hey Alejandro! What does Apheris do, and what’s your role?

Apheris powers federated life sciences data networks, addressing the critical challenge of accessing proprietary data locked in silos due to IP and privacy concerns. Our product is a federated computing infrastructure with governance, security and privacy controls, enabling life sciences organizations to collaboratively train higher quality models on complementary data from multiple parties. We're a relatively small team (around 25 engineers) which allows us to stay agile, try new things, and be early adopters of technologies like Aikido.

I'm Alejandro and I’m leading security, privacy, and IT at Apheris. With 12+ years in the field, I’ve gone from large organizations like Cisco, Rackspace, and Auth0 to the startup world, where I build security, privacy, and compliance programs (and the teams behind them) from the ground up. My focus spans cloud and application security, infrastructure as code, automation, and keeping systems resilient and data private.

I’m based in sunny Alicante, Spain. When time permits, I still enjoy getting hands-on: writing code, tuning detections, and building internal tools. Lately, I’ve been diving into AI and automation, introducing governance-friendly agents to streamline security and IT workflows and make our stack a little smarter (and a lot more efficient).

How big is the security challenge when working with pharma clients?

Massive and rightly so. We deal with sensitive data, so security isn’t just a best practice, it’s a requirement to do business. To give you an example: For one enterprise deal, a client required us to pass four independent penetration tests before signing. That’s over €100K spent on their side just to start the conversation. We have also built a trust center so our clients or potential customers can review all our internal privacy, security and compliance posture. This also helps our customers to streamline and reduce the response time by an order of magnitude for their vendor reviews and compliance assessment.

“I’ve never seen this level of scrutiny before signing a contract. There’s no room for shortcuts.”

We’ve built privacy and security into our product and processes from day one. We bring our product to the data, not the other way around. Our federated model training system runs on the client’s infrastructure, like their AWS account, so data doesn’t need to move. That setup maintains compliance, preserves privacy, and aligns with how pharma clients expect their data to be handled. We’re ISO 27001, SOC 2 Type I and II and GDPR compliant. Security and Privacy isn’t an afterthought, it’s foundational to our business. 

What challenges did you face before switching to Aikido?

Our setup was fragmented and lacked centralization. We relied on a mix of open source tools for secret scanning: proprietary solutions like Snyk for container security and dependency management, and Detectify for web application scanning. Each tool served a purpose, but the lack of cohesion meant we had to spend significant effort keeping everything stitched together with lots of duct tape and elbow grease (laughs).

Adopting Aikido has helped consolidate several of these efforts into a single, more unified product, reducing friction for the team. While it's not a silver bullet, it's become an important piece in a broader security strategy that still includes other tools and processes we value.

“We had this overhead of a small team maintaining several open source tools. It was a pain.”

Each tool lived in its own silo. It was difficult to manage configurations across repositories, and even harder to get an aggregated view of our security posture. Secret scanning was noisy. Container scan results weren’t actionable. And overall, the maintenance burden was growing as we have more repositories to scan. Snyk’s output was hard to act on, especially for engineers that need to know about different tools and interact with them in different ways. Even with our Github infrastructure as code, keeping these tools up-to-date and functional became a time drain.

“If I, as a security engineer, have to spend time deciphering findings, how can I expect our engineers to act on them? They’ll just ignore it.”

What led you to choose Aikido?

We wanted one platform that could give us visibility, reduce noise, and that didn’t require a full-time person to babysit it.

Aikido covers a lot of what we need right out of the box. Many of the open source tools we were already using were integrated into the platform, which made things feel familiar and reduced our migration overhead. Thanks to our GitHub setup-as-code approach, we were able to roll it out across repositories in just a few days, much faster than we initially anticipated.

Of course, no rollout is ever truly effortless. We still had to validate our pipelines and double-check that the coverage matched our expectations. But overall, Aikido helped us accelerate the process and reduce the operational burden of stitching things together manually. It’s now a solid part of our broader security tooling, though (like with any vendor) we continuously evaluate and monitor its role within our threat model.

“Based on prior experience, we expected a slow transition. Instead, we migrated everything in a week, without disrupting anyone.”

What changed after rolling out Aikido?

The difference is night and day. Security became invisible to most developers, and that’s a good thing. 

Aikido made it easy for engineers to see and resolve issues without bouncing questions back to the security team. Every repo has relevant, actionable insights. It’s easy for engineers to self-serve and resolve issues, without needing me to translate security reports for them. No guesswork. No PDFs to interpret. Integrations on pull requests and also IDEs are a blast.

What feature has had the biggest impact for you?

If I had to pick one, it’s the Team Comparison Report. It gives us a great lens into how different teams are performing, and we even post the report in Slack. It’s not about competition, per se, but it definitely gamifies security in a healthy way.

That said, AutoFix is also a standout. Not just for what it does, but how quickly the Aikido team acted on our feedback. At first, our PR standards blocked Autofix from running properly as we do mandate tight pull request standards such as PR title or commit messages. Within weeks, the team had added support for our specific setup.

We came from Enterprise solutions that are unresponsive to customer feedback (as we are a small shop), require long window support tickets even for tiny matters and you only hear from your account managers just before the renewal cycle.

“The team took our feedback and shipped a fix within weeks. That kind of responsiveness matters.”

And if you had to summarize Aikido in a sentence?

“Aikido is the peace of mind that your security responsibilities are covered, so our engineers can focus on shipping without compromises.”

‍