Timefold builds workforce scheduling optimization software. Their open core engine, the Timefold Solver, tackles NP-hard planning problems. On top of that, they ship off-the-shelf APIs for use cases like employee shift scheduling, field service routing, and pickup/delivery routing, plus a SaaS platform that adds deeper insight into planning performance.
As Timefold accelerated ISO work and pushed toward SOC 2, the team wanted continuous security visibility across their stack, without slowing engineers down or turning security into a bottleneck.
At a glance
- People we spoke with: Pieter De Schepper (VP Engineering), Jenne (Site Reliability & Security Engineer)
- Why Aikido: ISO readiness and SOC 2 acceleration through continuous security monitoring
- Before Aikido: GitHub Dependabot + strong PR reviews
Tooling: GitHub (repos), Vanta (compliance reporting) - Aikido coverage: repos, containers, cloud configuration (Google Cloud), domains, reporting (licenses), Kubernetes scanning
Challenge: Security visibility didn’t match compliance speed
Timefold has always treated security as part of engineering. They already had strong PR reviews, experienced developers, and Dependabot for dependency alerts.
But as compliance requirements ramped up, they hit a common gap: visibility. Dependabot helped, but it didn’t provide an always-on view across everything they run. They needed a clearer way to answer basic questions quickly: which dependencies are used where, which versions are deployed, and what actually needs attention when a new vulnerability drops.
At the same time, security couldn’t become a gate. Timefold wanted better coverage without adding process drag or relying on a small group to manually police everything.
Solution: Continuous scanning across the stack, in less than a day
Aikido reached out at the perfect time. Timefold was actively looking for security tooling to support ISO work and accelerate SOC 2 readiness.
What stood out was how quickly they could move from evaluation to real coverage. According to Jenne, the setup was fast and painless.
“We had scanning integrated into CI in less than a day.”
Timefold works primarily in GitHub, and Aikido fits naturally into that workflow. They enabled scanning on their key repositories, turned on pull request checks, and expanded coverage beyond code and dependencies into the rest of their environment.
Today, Timefold uses Aikido to scan repositories, containers, Google Cloud projects for configuration risks, and external domains including GraphQL endpoints. They also make use of reporting, including license reporting, which became particularly useful during fundraising diligence.
Outcome: Less noise, faster upgrades, clearer coverage
For Timefold, the biggest improvement was operational: moving from periodic reviews to continuous monitoring.
Instead of reacting only when Dependabot flags something, they now have a clearer overview of what’s running across the stack and a more consistent way to prioritize vulnerabilities. This increased how quickly and how often they upgrade packages when issues are discovered.
Noise reduction also mattered. Fewer false positives means engineers don’t waste time triaging and can focus on real risk.
“Noise reduction is huge. It lowers false positives so engineers can focus on what matters.”
Aikido also helped Timefold respond quickly to major ecosystem disclosures. One example was the Next.js authentication bypass vulnerability. Timefold wasn’t heavily impacted because Next.js was used only for the frontend and backend authentication still applied, but it was still the kind of issue they wanted to identify and fix fast.
On the compliance side, Timefold is now SOC 2 compliant, using Aikido’s continuous coverage alongside existing compliance tooling like Vanta.
Summary
Timefold didn’t need a security platform that demanded attention. They needed one that quietly keeps security in order, supports compliance work, and lets engineers stay productive.
For Pieter, that’s the ideal result:
“Aikido is there, but we don’t notice it. And that’s what I like about it.”
Aikido runs in the background, teams stay focused, and security improves without becoming a bottleneck.
.avif)
