SOC2 & ISO
can be a hassle
but it shouldn’t be
Technical vulnerability management is a required check for SOC2 Type 2 & ISO 27001:2022 compliance. Aikido helps you by automating all code and cloud security controls.
These cloud-native companies sleep better at night
Why Aikido?
Generate evidence for technical controls
Aikido performs checks and generates evidence for technical controls for ISO 27001:2022 & SOC 2 Type 2. Automating technical controls is a big step-up towards achieving ISO & SOC 2 compliance.
Option 1
Struggle through a patchwork of free tools
To comply with technical vulnerability management controls, you can set up a combination of free open source tools to scan for OS vulnerabilities, secrets, containers, etc... Each tool will require setup and maintenance.
Option 2
Buy expensive software packages
To comply with technical vulnerability management controls, there are many dedicated scanning platforms that work well in one area, but you'll end up with a sum of expensive licenses adding up to massive bills.
Option 3
Get Aikido
Get all-round security coverage, everything you need to check the boxes for techical vulnerability controls, at an affordable price. These checks are a great accelerator for evidence collection for SOC2 & ISO 27001.
Aikido covers all technical code and cloud security requirements for SOC2 Type 2 and ISO 27001:2022
SOC 2 Controls
CC3.3: Consider the potential for fraud
CC3.2: Estimate Significance of Risks Identified
CC5.2: The entity selects and develops general control activities over technology to support the achievement of objectives
CC6.1 • CC6.6 • CC6.7 • CC6.8
CC7.1: Monitor infrastructure and software
CC7.1: Implement change detection mechanism
CC7.1: Detect unknown or unauthorized components
CC7.1: Conduct vulnerability scans
CC7.1: Implement filters to analyze anomalies
CC7.1: Restores the affected environments
CC10.3: Tests integrity and completeness of backup data
CC8.1: Protect confidential information
CC8.1: Track system changes
ISO 27001 Controls
A.8.2 Privileged access rights • A.8.3 Information access restriction • A.8.5 Secure authentication • A.8.6 Capacity management • A.8.7 Protection against malware • A.8.8 Management of technical vulnerabilities • A.8.9 Configuration management • A.8.12 Data leakage prevention • A.8.13 Backups • A.8.15 Logging • A.8.16 Monitoring activities • A.8.18 Use of privileged utility programs • A.8.20 Network security • A.8.24 Use of cryptography • A.8.25 Secure development lifecycle • A.8.28 Secure coding • A.8.31 Separation of development, test and production environments • A.8.32 Change management
A.5.15: Access control
A.5.16: Identity management
A.5.28: Collection of evidence
A.5.33: Protection of records
Integrations
Integrate with your compliance suite
Are you using a compliance suite? Aikido integrates with the suite of your choice.
See our integrations
Vanta
The fastest path to compliance. It collects 90% of the evidence needed for your certification.
Drata
Automates your compliance journey from start to audit-ready and beyond.
Sprinto
Sprinto is a one-stop platform for all security compliances and certification audits.
Thoropass
Thoropass is an end-to-end compliance solution offering a seamless security audit experience.
Secureframe
Leading security compliance automation platform that makes getting any compliance fast & easy.
Aikido does much more to keep your software secure
Technical vulnerability management is just for starters.Aikido combines SCA, SAST, IaC, surface monitoring, container scanning and more - all in one platform.
See our features
Instant Deduplication
When Aikido finds a vulnerabilities, it will report duplicate issues as one issue. Unlike other scanners that will overload you with hundreds of security alerts, when the affected function is found multiple times.
Leverages open source scanners
Built on reliable open source security scanners, all combined in one platform. Enhanced with our own code to cover any scanning gaps.
Cloud
Detects cloud infrastructure risks across major cloud providers.
Trivy
Custom rules
Code
Continuously monitors your code for known vulnerabilities, CVEs and other risks.
Trivy
Syft
Grype
Custom rules
Code
Checks your code for leaked and exposed API keys, passwords, certificates, encryption keys, etc...
Gitleaks
Code
Scans your source code for security risks before an issue can be merged.
Bandit
Semgrep
Gosec
Brakeman
Custom rules
Code
Scans Terraform, CloudFormation & Kubernetes infrastructure-as-code for misconfigurations.
Checkov
Containers
Scans your container OS for packages with security issues
Syft
Grype
AWS Inspector
Domain
Dynamically tests your web app’s front-end to find vulnerabilities through simulated attacks. Built on ZAP.
ZAP
Custom rules
Code
Monitors your licenses for risks such as dual licensing, restrictive terms, bad reputation, etc..
Syft
Grype
Custom rules
Code
Prevents malicious packages from infiltrating your software supply chain. Powered by Phylum.
Phylum
Code
Checks if any frameworks & runtimes you are using are no longer maintained.
endoflife.date
Custom
Imports and auto-triages findings from your current scanner stack.
GitHub Advanced Security
SonarQube
Actionable advice
No need to do your own CVE research. Aikido gives you the TL;DR, tells you how you're affected & how you can most easily fix it. The fastest way to remediate your security issues.
Learn more
Why Aikido?
A non-corporate approach towards vulnerability management
With Aikido, you’ll fast track your code & cloud security compliance while saving time and money.
All-in-one
Solution
Open source tools usually don't support all languages. Aikido combines multiple scanners to cover all the gaps. (For example, Aikido supports .csproj files out of the box)
3x
Faster remediation
Compared to enterprise tools, that don't auto-triage duplicates or false positives. Focus on relevant and critical risks only.
60%
Cheaper
Compared to the average enterprise AppSec tool. We think hat software security should be accessible for companeis of any size.
Trusted by thousands of developers at world’s leading organizations
FAQ
Does Aikido require agents?
No! Unlike others, Zen by Aikido integrates directly into your application with no need for external agents. Deployment is as simple as adding a single line of code (importing a package), so you’re up and running in mere minutes. This approach is fast, lightweight, and far less intrusive!
I don’t want to connect my repository. Can I try it with a test account?
Of course! When you sign up with your git, don’t give access to any repo & select the demo repo instead!
What happens to my data?
We clone the repositories inside of temporary environments (such as docker containers unique to you). Those containers are disposed of, after analysis. The duration of the test and scans themselves take about 1-5 mins. All the clones and containers are then auto-removed after that, always, every time, for every customer.