At a glance

• Embedded security-by-design into Serko’s internal developer platform
• Eliminated false positives, restoring trust in security findings
• Unified code, cloud, container and API security in one platform
• Enabled engineers to own and fix vulnerabilities, not triage noise
• Integrated security directly into developer workflows and templates
• Supported a Platform-as-a-Product engineering model
• Delivered organization-wide visibility via Port integration
• Selected Aikido Security over a legacy developer security platform
  

Secure-by-design vision

Darshit’s role shifted from being part of the product team into being the Senior Principal Engineer leading Serko’s platform engineering initiative. This switch stemmed from an opportunity Darshit saw to significantly reduce the friction product engineers felt when building new product features.

“There is always friction and derailment when your team wants to build a new service or API, but there are no standard templates. For example, having an API template that has the OWASP Top 10 and other security guardrails embedded,” he said.

Without these templates, it was painstaking for developers to build things from scratch, reinventing the wheel every time.

This is why Darshit sees platform engineering as key to Serko’s success, adopting what is known as ‘Platform-as-a-Product’ mindset.

“If we do it right, we can definitely help our internal customers, like our engineers, engineering leaders, product managers and delivery leaders, and we can reduce their cognitive load, ensuring that they focus on writing business logic,” said Darshit.

Serko’s platform engineering initiative focuses on reusable, secure-by-default templates and internal tools that eliminate repetitive work. By embedding security standards like OWASP Top 10 into every service from day one, the team ensures developers can innovate confidently without compromising safety.

The first thing Darshit wanted to get right was security.

Handling false positives

Before Aikido, Serko relied on a developer security platform that created noise and trust challenges.

“We were using a tool that prides itself on sniffing out vulnerabilities, but this wasn’t the case. We had many false positives. Engineers were frustrated by the many false positives being detected which lead to a lack of trust.”

“In addition, we wanted improvements and enhancements made to the developer security platform that were not forthcoming, even after many months of working with the provider,” he said. “Technology was moving very fast, but there were some missing capabilities like cloud-related vulnerability management, AI AutoFix and APIs that we could leverage to build or integrate customer workflows or tools,” he added.

As a result of these frustrations, Serko piloted Aikido and validated what vulnerabilities Aikido showed for some repositories compared with their existing developer security platform.

“Our security folks and myself knew that some of these were false positives and shouldn’t be there, and Aikido didn’t show up with those vulnerabilities, which was a great sign,” he said.

Along with this, Darshit explained that Aikido’s capability to group the same vulnerabilities across different codebases and complete step by step descriptions to resolve vulnerabilities, were other differentiators for Aikido, while cloud, code and API security and AI AutoFix were all other deciding factors in selecting Aikido.

“The commitment from Aikido to align with Serko’s platform-first strategy was high, and working with them has been amazing. They’re solving our problems and when an opportunity comes for an integration, such as integrating internal developer portal Port with Aikido, they worked to get it done,” he said.

“This isn’t only feedback from me. We have had many Serko product engineers come up to us saying ‘Aikido is a great platform you guys are providing us and we see a lot of value out of it’,” he added.

“On the flipside, every day we were getting complaints and frustration from our engineers who were using the previous developer security tool. But with Aikido, we’ve not received any such complaints,” said Darshit.

The Impact of Serko’s Developer Security Platform - Powered by Aikido

Adopting Aikido has helped Serko to transform how teams approach security. Vulnerabilities are no longer hidden amongst  false positives and engineers feel ownership of resolving issues. This cultural shift is a direct result of Serko’s platform engineering vision, supported securely by Aikido Security. 

“With our previous security platform, there was a lack of trust around the vulnerabilities it highlighted.

With Aikido, the clarity was much better. We asked teams to start tackling critical issues, and they did. Today, we have materially improved our security posture because people are actually fixing issues, not investigating false positives" he said.

Aikido’s State of AI, Developers & Security 2025 found that 15 percent of engineering time is lost to triaging alerts, and most of that time (72 percent) is on false positives. In fact, on average, teams waste five hours per week dealing with false positives. But the damage false positives cause goes beyond this. They can force teams into workarounds and risky shortcuts. Two-thirds of respondents bypass security tools, dismiss findings or delay fixes because they are fed up with dealing with false positives.

A big sign that Aikido and the overall platform engineering concept are working is that these workarounds are not happening at Serko.

In addition, for older legacy frameworks, Serko built-in regular leadership security reviews. If a team wants to delay fixing a specific vulnerability, they need to get leadership to approve the risk, which involves putting together a motivation explaining why this is acceptable. These are regularly reviewed by leaders. The goal is to retain visibility, so leaders know where serious risks sit, and can push for action rather than letting them be ignored.

Integrating Aikido with Port

Context is key for developers, and Darshit believes the combination of Aikido with Port (used as Serko’s developer portal) is a significant step forward for Serko’s platform engineering success.

“With Aikido and Port combined, vulnerabilities will be visible alongside Serko’s assets, not just services but also cloud resources, databases, and components. That gives us clear, organization-wide visibility. We’re also building a security scorecard through the integration. This will allow us to show, for example, which APIs sit at a bronze, silver, or gold tier within our API catalog. The scorecard provides an easy way to understand security posture across different teams and assets.”

The integration will also enable technology leadership to easily see how many vulnerabilities there are across our systems from a team, group or org perspective, showing which teams are behind and which have zero vulnerabilities. This will help product and engineering leadership.

By giving leaders visibility into security posture, they can make informed decisions about priorities. We don’t want to block people with hard gates; instead, we want to empower them with data so they can balance delivery with security,” Darshit explained.

Conclusion

For Darshit, platform engineering is about more than technology, it is about changing culture. By using Aikido, Serko has given engineers the confidence to trust security findings and created a framework where product teams can see the trade offs between speed and security. Crucially, it has supported Serko in building a developer platform where security is everyone’s responsibility. As Serko continues to evolve, it’s setting a new standard for secure-by-design platform engineering, with Aikido as a critical trusted partner along the way.

‍