At a glance
- Embedded security directly into developer workflows and pull requests
- Shifted from reactive, scheduled scans to continuous security feedback
- Reduced noise with reachability-based prioritization and fewer false positives
- Unified SAST, SCA, and secrets detection in a single platform
- Scaled security across 200+ repositories with minimal overhead
- Supports enterprise security and compliance across ISO 27001, GDPR, and healthcare regulations
Building secure digital healthcare at scale
Oviva delivers reimbursed, evidence-based digital healthcare programs for chronic conditions such as obesity and type 2 diabetes. Its platform combines clinical expertise, AI-driven insights, and personalized coaching to drive long-term patient outcomes. In this environment, security is inseparable from patient safety. Oviva handles highly sensitive medical data and operates under strict regulatory frameworks including ISO 27001, GDPR, and country-specific healthcare standards. Trust is not just expected, it is required.
“Security in digital health is fundamentally about protecting patients and maintaining trust.”
As the company scaled, that responsibility needed to be reflected not just in policy, but in how software was built.
When growth outpaces security workflows
Before Aikido, Oviva relied on a combination of open-source tools for SAST, SCA, and vulnerability management. While effective in isolation, they created friction at scale. Security scans were scheduled rather than continuous. Findings had to be aggregated across tools. Triage required coordination between teams. As the number of repositories and contributors grew, so did the operational overhead.
Over time, this created friction for both developers and security teams. Issues were identified late, ownership was unclear, and valuable time was spent coordinating and triaging instead of fixing. Security was present, but it lived outside the developer workflow. The team saw an opportunity to change that.
Moving to continuous, developer-first security
Oviva set out to embed security directly into development. Instead of relying on periodic scans and centralized triage, the goal was to surface issues where they occur: in pull requests, during builds, and inside developer workflows. Developers needed immediate, actionable feedback so issues could be resolved before reaching production.
Just as important was reducing noise. High volumes of false positives slow teams down and erode trust in security tools. Any new approach had to prioritize accuracy, clarity, and usability. Tools that overwhelm engineers with false positives don’t get used.
Why Oviva chose Aikido over Snyk and Prisma Cloud
During evaluation, Oviva assessed platforms including Snyk, Prisma Cloud, Semgrep, and GitHub Advanced Security. Aikido stood out by removing common trade-offs.
Where larger platforms like Prisma Cloud introduced operational complexity, Aikido integrated cleanly into existing Git and CI/CD workflows. Where tools like Snyk often generated high volumes of findings, Aikido focused on signal, helping teams prioritize issues that matter.
Instead of stitching together multiple tools, Oviva could consolidate core application security capabilities into a single platform that developers could adopt immediately.
“Aikido struck the right balance between capability, usability, and developer experience.”
Rolling out across 200+ repositories in weeks
Adoption was fast and low-friction. Oviva onboarded more than 75 developers and connected over 200 repositories within a few weeks.
Setup required only a few steps to integrate repositories and enable scanning. Because the platform is intuitive, developers were able to start using it immediately, without extensive onboarding or training.
For the security team, this meant instant visibility across a large and growing engineering environment.
From reactive scans to continuous security
With Aikido, security shifted from scheduled scans to real-time feedback.
Checks now run directly in pull requests and CI/CD pipelines. Developers receive immediate feedback as they introduce changes, allowing them to resolve vulnerabilities before code is merged or deployed.
At the same time, Aikido reduces noise through reachability analysis, highlighting vulnerabilities that are actually exploitable rather than flagging every theoretical issue. Combined with clear remediation guidance and autofix capabilities, this enables teams to focus on real risk instead of spending time on triage.
Security moves from a gate at the end to a guardrail throughout development.
Simplifying vulnerability management and compliance
Previously, vulnerability management required aggregating results across tools and managing them through external systems.
With Aikido, everything is centralized in one platform. Security teams gain a clear, unified view of vulnerabilities across all repositories, with built-in prioritization and ownership tracking. Developers see exactly what needs to be fixed and why.
This has a direct impact on compliance. In a healthcare environment, the ability to demonstrate security posture quickly and clearly is critical.
“Aikido gives us a centralized and well-prioritized view of vulnerabilities, making compliance reporting much easier.”
The impact
Adopting Aikido changed how Oviva approaches security across both engineering and organizational levels. Vulnerabilities are now identified earlier and resolved faster. Developers actively engage with security because feedback is immediate and actionable, rather than something they encounter after the fact.
Crucially, teams are no longer spending their time investigating noise. They are fixing real issues. Security teams have shifted away from manual triage toward higher-value work, while the organization has strengthened its ability to meet regulatory requirements and maintain clear visibility into its security posture as it scales.
A step change in security maturity
Aikido enabled Oviva to move from a reactive, tool-driven approach to a proactive, developer-centric DevSecOps model. Security is now continuous, integrated, and scalable across the organization.
“Aikido enabled us to shift from reactive scanning to a proactive, developer-centric model, improving visibility and helping us scale security as we grow.”
Looking ahead
As Oviva continues to expand its platform, it needs a security foundation that can evolve with it. With Aikido, the team is positioned to extend its approach into additional domains such as container and cloud security without adding complexity. Because in digital healthcare, security is not just about protecting systems. It is about protecting patients.
