Hey Aki! Can you introduce yourself and your role at Midaxo?

I’m Aki Hänninen, CISO and DevSecOps lead at Midaxo. I split those roles deliberately: the CISO side is more about corporate security, governance, and certifications like ISO 27001, while the DevSecOps side focuses on product and platform security. Our engineering team is about 15 people (across 5 teams) split between Finland and the US.

I actually started at Midaxo as a software architect when we rebuilt our cloud platform from scratch. As we matured, I transitioned toward operations and security, and now I consider myself a “recovering software architect” (laughs). I’m still close to the code, but focused on enabling security across the organization.

‍

And what does Midaxo do?

Midaxo is a centralized software platform purpose-built for M&A and corporate development teams. It’s designed to manage complex processes like acquisitions, divestitures, IP management, and more.

While many teams still rely on Excel and PowerPoint to run these initiatives, Midaxo provides a centralized system that replaces those manual tools with a more structured, collaborative, and repeatable workflow. It brings everything together in one place, so teams can move faster, reduce risk, and make better decisions with real-time visibility and accountability across the entire deal lifecycle.

‍

How important is security to your business?

It’s absolutely mandatory. Most of our deals involve third-party risk assessments, and expectations around data protection and confidentiality are high (especially given the nature of our customers’ work). Security is a major differentiator for us. It gives our customers confidence in choosing Midaxo as their partner in managing sensitive, high-stakes processes.

‍

It’s not just about compliance or checkboxes for a security assessment. We treat security as an integral part of the product. That includes how we build, how we deploy, and how we manage incidents or vulnerabilities internally. That’s why we’ve invested so heavily in security across the board: from product to infrastructure.

‍

What were your top security concerns before using Aikido?

We’re very cloud-native and lean heavily on AWS-managed services and serverless infrastructure, which means we can offload some of the infrastructure security. But that also shifts our internal focus to application security.

Managing vulnerabilities was a pain. SCA findings, SAST, DAST… everything was spread across different tools (AWS Inspector, SonarCloud, and Detectify to name a few). It became the classic whack-a-mole game of “Hey, did anyone look into this vulnerability yet?” 

‍

“Before Aikido, managing security was the classic whack-a-mole game of “Hey, did anyone look into this vulnerability yet?”

‍

Each tool worked in isolation. There was no unified view. Vulnerabilities had to be manually triaged and assigned. It slowed everything down. Our security team was doing most of the heavy lifting, and adoption of security tools and practices across the wider engineering team was low.

‍

What made Aikido stand out during your evaluation?

Aikido felt like it was built with companies like ours in mind, having strong engineering teams in-house, but resource-constrained on security personnel, not exclusively for giant enterprises (like some of the other vendors in the space).

‍

“Developers started fixing issues on their own, because Aikido made it easy to know what to do and who should do it.”

‍

Setup was easy, governance became clearer, and ownership became obvious. The platform helped us surface relevant issues to the right teams without all the noise. What I liked most is that it streamlined our workflow. What a relief to stop jumping between dashboards and tools.

‍

How did the rollout go? Was it hard to integrate with your existing setup?

‍

“Honestly? The rollout was almost invisible. Everything fits like a glove.”

‍

We’re big on keeping teams autonomous, and Aikido’s team filtering feature was crucial for me as a CISO. Each of our five teams now sees just which security findings are relevant to their code, and it aligns perfectly with how we operate. That alone made adoption smooth.

‍

‍

How was your experience working with the Aikido team?

The team has been outstanding. When I finally had time to try the tool, the team was right there to help. Everyone we’ve interacted with has shown a real customer-first mentality. They listen to feedback, act on it, and make us feel like partners.

Honestly, that kind of responsiveness is rare, and it’s made a lasting impression on us.

‍

What’s changed in how you manage security?

It’s transformed our vulnerability management process into something much more proactive and developer-friendly. We now push critical findings directly to team-specific Slack channels. The awareness is higher, the noise is lower, and the process is finally sustainable. The security team gets to step back and focus on governance, not daily follow-ups.

‍

“Before Aikido, AppSec felt like friction. Now it’s just part of the flow. Security is no longer seen as external or annoying. It’s just part of how teams ship software.”

‍

Before, it was hard to get teams to act. Now we’re seeing a steady decline in critical and high-severity issues. We’re planning to set a baseline later this year to track how well we maintain this improved posture over time.
Plus, the bigger win is cultural: security is no longer seen as external or annoying. It’s just part of how teams ship software.

‍

How have developers responded?

That’s the funny part. In Finnish culture, if something’s broken, you’ll hear about it. If it works, you won’t.

‍

“The fact that no one complains about Aikido? That’s about the best feedback you can get here in Finland.”

‍

And if I may add a cultural note: in Finnish culture, we’re not big on giving compliments. But when our developers say “it’s not rubbish and it works,” that’s about as high praise as you can get (laughs). And that’s how our team feels about Aikido: it’s useful, quiet, and gets the job done.

‍

What’s your favorite feature?

As mentioned, the team filtering is number one for me. It supports our decentralized way of working and makes my job of overseeing security across teams way easier.

But I’ll give a special shoutout to the auto-ignore feature too. It quietly removes a bunch of irrelevant findings, which saves us time and mental bandwidth. I sometimes check the number just to feel good.

‍

“I check the auto-ignore count sometimes just to feel good. That’s all work we didn’t have to do.”

‍

‍

Last but not least: if you had to summarize Aikido in one sentence, what would it be?

“It just works.” And for a Finnish development team? That’s high praise.