British cybersecurity company Glasswall, which specializes in file protection through Content Disarm and Reconstruction (CDR) technology, replaced Snyk, Wiz Code, and Black Duck with a single Aikido deployment, gained VC Package C++ coverage within two weeks, and rolled out Safe Chain across every production pipeline touching supported packages.
At a glance
- Replaced Snyk, Wiz Code, and Black Duck with Aikido
- VC Package C++ support shipped within two weeks of requesting it
- Push-button AutoFix for vulnerable dependencies
- Connected directly to Azure DevOps repos and container registries
- Consolidated code, dependency, and container security into one platform
- Safe-Chain deployed across every production pipeline touching supported packages
- Evaluating AI Pentesting as the next evolution of offensive testing
Challenge
Chris Holman leads application security at Glasswall, a British cybersecurity company focused on protecting organizations from file-based threats. As a cybersecurity vendor itself, Glasswall evaluated its AppSec tooling with the same scrutiny it applies to its own products.
When Chris stepped into the role, Glasswall’s AppSec environment had gradually expanded across multiple vendors over time.
Snyk handled dependency scanning. Wiz Code covered code-level analysis. Black Duck handled open-source governance. SonarQube covered code quality. Each tool solved a specific problem but together, they created operational complexity. Developers had been burnt before by tools generating findings they couldn't trust, and the security team was spending time triaging signal from noise instead of fixing problems.
“We had Snyk, Wiz Code and Black Duck in different parts of the estate. Every one of them was a good tool on its own. Together they were a mess.”
The overlap between tools created duplicated findings, fragmented prioritization, and growing management overhead. The procurement footprint had also outgrown the value the team was getting back.
At the same time, the team's C++ environment created another challenge. Glasswall relies heavily on VC Package, a dependency management setup that many modern scanners either supported poorly or did not support at all. The team needed coverage that could work directly with their environment instead of forcing engineering teams into workarounds.
“Our environment depends heavily on VC Package. Most of the scanners we evaluated either didn’t support it or supported it badly. Aikido committed to shipping it, and they shipped it in two weeks.”
Solution
For Chris, the biggest differentiator was execution speed and responsiveness.
Where larger vendors operated on quarterly release cycles, Aikido shipped requested functionality within weeks. VC Package support became the clearest example. After Glasswall raised the requirement, Aikido delivered production-ready support within a two-week window. That responsiveness immediately changed the evaluation.
Glasswall also ran Aikido side-by-side against Wiz Code on the same production codebase during the evaluation process. The findings were comparable enough that the economics became difficult to ignore.
“We ran Aikido and Wiz Code side by side. The findings were comparable, and Aikido was a fraction of the cost. That was the moment the decision was made.”
Aikido also integrated directly into Glasswall's Azure DevOps repositories and container registries, giving the team centralized visibility across code, dependencies, and containers.
Implementation matched the same pace. Within a single day, Glasswall went from no Aikido deployment to full coverage across every pipeline. Connecting Azure repos and container registries took a click rather than building pipeline templates or injecting CLI tools manually, which mattered for a small DevSecOps team where engineering time is the scarcest resource.
Glasswall also rolled out Aikido Safe-Chain across every production pipeline that touches supported packages. Following recent supply chain incidents that exposed how quickly malicious packages can spread, Safe-Chain checks dependencies before they're installed rather than relying solely on public CVE databases.
"You can't just rely on public CV databases to tell you whether or not an issue is within your package. You need to then rely on kind of dissecting that package and making sure that before you install it, it's safe to use."
For vulnerable dependency upgrades, Glasswall significantly reduced the amount of manual engineering effort required. Developers can now see both the finding and the remediation path in the same workflow, with automated pull requests generated directly by Aikido.
“For most vulnerable dependencies, it’s push-of-a-button. The PR is there, the test is there, you merge it.”
For Glasswall, the roadmap mattered as much as current functionality. As a cybersecurity company, the team was evaluating not only what AppSec tooling looks like today, but where offensive security testing is heading over the next several years. AI pentesting stood out as an important signal. For Chris, it demonstrated that Aikido was investing beyond traditional scanning workflows and thinking about how offensive security testing will evolve over the coming years.
“What you guys are doing with the multi-agent AI pentesting approach is going to be the new norm. Bug bounty isn’t a dying art, but a lot of researchers are now using AI. Why can’t we adopt AI ourselves to find exploits?”
Why Glasswall chose Aikido
Several factors ultimately drove the decision:
- VC Package and C++ support delivered within two weeks
- Native Azure DevOps and container registry integrations
- Comparable findings to Wiz Code at significantly lower cost
- Consolidation of code quality into the same platform
- Push-button AutoFix for dependency remediation
- A roadmap aligned with AI-driven offensive testing
Results
The most visible result was consolidation. Snyk, Wiz Code, and Black Duck were replaced by a single Aikido deployment covering code, dependencies, and containers. The impact extended beyond procurement savings. Consolidation reduced operational complexity, simplified prioritization, and gave the security team a single workflow instead of fragmented tooling spread across multiple vendors.
Glasswall is also continuing to expand coverage across additional attack surfaces. One of the next priorities is securing the build-agent infrastructure itself.
"Build agents are our number-one target. Making sure we've got a real security onion on them is paramount. Using Aikido Device Protection for our build agents would ensure the bigger ecosystem is secure."
For Chris, AI-assisted offensive testing is one of the most important shifts happening in application security today.
“AI pentesting is going to become the new norm. A lot of researchers are already using AI to find exploits. Security teams need to adopt the same approach.”
How Glasswall uses Aikido today
Currently using
- SAST and SCA scanning
- VC Package / C++ dependency coverage
- Container scanning
- Secret detection
- Code Quality
- Safe Chain for supply chain protection
- AI AutoFix
- Azure DevOps and container registry integrations
Planning next
- Aikido Device Protection for build agents
Evaluating
- AI pentesting
Final verdict
“For us it’s about the human approach. We need a partner that can move at the speed we’re moving at, and Aikido does.”
