Raisin is a Berlin-based fintech that runs an online savings and investment marketplace, connecting more than a million customers with deposit and savings products from a network of partner banks across Europe, the UK and the US. That means handling a lot of people's money in a regulated market, which puts real weight on application security.
Raisin’s CISO and product security lead were watching AI-assisted engineering outrun a self-maintained open-source security stack. Here’s why a regulated European fintech chose Aikido to keep up, and how it fits the way the team already works.
At a glance
- Replaced a self-maintained open-source scanner stack with one platform for application and supply-chain security
- Runs Aikido inside JetBrains and VS Code, and inside developer AI assistants through MCP, so security sits in the workflow rather than beside it
- Uses reachability analysis on JavaScript and Python to cut manual triage
- Generates around 200 AutoFixes a month
- Had a code-quality rule for a new AI skills threat shipped in about two weeks of asking
- Uses Aikido Safe Chain for developers in the NPM and PyPI ecosystems
- Ships to production around 50 times a day, with security keeping pace rather than blocking
Challenge
A DIY open-source stack that stopped scaling
Before Aikido, Steeven's team ran security on open-source scanners it maintained in-house, wired into the build pipelines as separate jobs. That worked while the engineering team was small. As the team grew and new services arrived, the jobs started to fail, and the team spent its time fixing scanners instead of acting on what they found.
“We were running a lot of open-source scanners, with separate jobs in our pipelines that we had to maintain. As we scaled and added services, those jobs started to fail, and we spent a lot of time fixing them instead of acting on what they found.”
Steeven George, Head of product security, Raisin
Triage piled on top. On SCA the team checked by hand whether a finding was reachable, or risked dropping 10 or 20 criticals per project on developers who already treated security as a blocker.
Security falling behind AI-accelerated engineering
Nitesh Gaikwad, Raisin’s CISO, saw the same problem from the top. AI coding tools were speeding the engineers up, and application security wasn’t keeping pace. Older projects held issues the team had no clear way to see.
“Our engineers were speeding up, especially with AI tooling, but we weren’t catching up on the application and product security side. We needed something that could find security issues fast, inside the engineering workflow.”
Nitesh Gaikwad, CISO, Raisin
For Nitesh the job was risk: find the gaps in projects the team had never been able to inspect, and keep critical issues out of production, without becoming the thing that slowed delivery down.
Why Raisin chose Aikido
Nitesh ran the evaluation against tools including Wiz and CrowdStrike, and against the option of staying on the in-house setup. Aikido stood out for its malware analysis on open-source packages and third-party libraries, and for covering the range in one platform rather than across disconnected tools.
“What stood out was the malware analysis on open-source packages and third-party libraries. No other tool we evaluated covered the range in one platform.”
Nitesh Gaikwad, CISO, Raisin
The product had to win developers' trust too, not just the security team's. At Raisin, platform engineering holds a green-light on new tooling, so usability was part of the test. For Steeven, the technical draw was consolidation plus reachability.
“Aikido gave us a single pane. With reachability analysis for JavaScript and Python, we triage less and there’s less friction on the SAST side.”
Steeven George, head of product security, Raisin
How Aikido fits the way Raisin works
Developers see Aikido findings in the editors they already use, and through the MCP integration their AI assistants can pull Aikido context directly. Security sits in the workflow instead of in a separate console developers have to remember to open.
“Aikido sits inside the IDEs our developers already use, like JetBrains and VS Code. With the MCP integration they can query Aikido and see what issues a repository has, without leaving their tools.”
Steeven George, head of product security, Raisin
Aikido runs Raisin’s SAST, SCA, secret detection and open-source package malware scanning in one place, with reachability analysis on JavaScript and Python. Engineers can see which findings touch live code paths and which don’t, which removed most of the manual triage the team used to carry.
On remediation, Aikido AutoFix generates around 200 fixes a month. Each fix carries a confidence level, and a developer reviews it before it lands.
“We get around 200 AutoFixes a month. Most SAST tools just hand you a recommendation. Aikido understands the context and gives a fix that’s almost ready to merge, with a confidence level, so the developer can judge it.”
Steeven George, head of product security, Raisin
Raisin also uses Aikido Safe Chain for developers working in the NPM and PyPI ecosystems. Its CI/CD scanning, once a set of brittle open-source jobs, now runs through Aikido as a single integration.
A vendor that ships at their pace
The clearest test came from a threat that barely existed a month earlier. Raisin’s developers started pulling in external AI skills, and the team worried about malware riding in with them. No tool on the market covered it. Raisin raised it with Aikido, and a rule landed in the code-quality module in about two weeks. The team now scans for it from a central repository. Founder access in a shared Slack channel made the conversation quick, but the part Steeven points to is the turnaround, not the access.
“We were worried because external skills were arriving with malware, and no other tool covered it. Aikido had a rule in the code-quality module within about two weeks.”
Steeven George, head of product security, Raisin
Raisin ships fast, and keeps getting faster. Production changes have scaled from around 10 a day to about 50. At that rate security either keeps up or becomes the bottleneck. Nitesh’s aim is to catch issues during development, in the IDE, rather than at a pipeline gate later, and that's exactly what Aikido helps with.
“We can speed the process up rather than blocking the pipeline. Most issues get identified in development, in the IDE, instead of at a pipeline-blocking stage, so we push to main much faster.”
Nitesh Gaikwad, CISO, Raisin
How Raisin is using Aikido today
Already using
- SAST and SCA
- Secrets detection
- Open-source package malware scanning
- Reachability analysis (JavaScript and Python)
- AutoFix
- AutoTriage
- CI/CD security
- Code quality module, including AI skills scanning
- IDE plugins for JetBrains and VS Code
- MCP integration for AI assistants
- Aikido Safe Chain
Planning to adopt
- Aikido Device protection, tested and lined up to roll out
- Aikido Zen Firewall, for shadow AI and prompt-injection defence
- DAST
Evaluating
Final verdict
“One of our biggest wins is that the old friction between security and developers is gone. They trust that when Aikido raises something, it’s worth their time.”
