Woodlands Advisory and Aikido: Application Security on a Single Platform — From Repository to Runtime

Application security rarely fails for a lack of tools. It fails because of their abundance: SAST, SCA, DAST, CSPM, CNAPP, IAC, RASP — every discipline its own product, every product its own dashboard, every alert disconnected from the overall risk picture.

Anyone trying to satisfy ISO 27001 Annex A.14, NIS2 vulnerability management and the requirements of their cyber insurer at the same time loses oversight long before the first real risk is addressed.

This is where the partnership between Woodlands Advisory and Aikido begins.

What Aikido is — and what it is not

Aikido is a unified application security platform built in Europe — by developers, for engineering and security teams. The platform consolidates the fragmented disciplines of code and cloud security into one system: static and dynamic code analysis, software supply chain, containers, cloud configuration, secrets, infrastructure-as-code and runtime protection.

What makes it different: Aikido was not assembled through acquisitions. It is one integrated platform — engineered around the premise that a detected risk can be triaged, prioritised and remediated in the same context in which it originated.

Aikido is not a classic vulnerability scanner. It is the operational layer on which application and cloud security actually works inside modern engineering organisations.

In May 2026, Aikido closed a $60M Series B at a $1B valuation, led by Tom Stafford (DST Global), with participation from PSG Equity, Singular and Notion Capital. More than 100,000 teams use the platform globally — including Revolut, SoundCloud, Niantic and the Premier League. Aikido is now the fastest-ever European cybersecurity company to reach unicorn status.

One platform instead of a tool stack

A recurring pattern in cyber due diligence engagements: targets running five to seven overlapping security tools, none of which talk to each other. Risk correlation becomes impossible. What remains is noise — and a loss of trust on the buyer's side.

Aikido consolidates that fragmentation. One console, one risk view, one source of truth — across every layer:

• SAST — static code analysis directly in the repository
• SCA and Supply Chain — dependencies, SBOMs, malware in open-source packages
• DAST — dynamic tests on running applications
• CSPM — cloud configuration across AWS, Azure and GCP
• Container and IaC — images, Kubernetes manifests, Terraform
• Secrets Detection — credentials accidentally committed to code
• Runtime Protection — defence against attacks on the running system

For clients building ISO 27001, NIS2 or a defensible sales trust posture, this means one evidence base, one audit trail, one position you can stand behind — rather than a patchwork of vendor reports that collapses at the first critical question.

Self-Securing Software and Aikido Attack

With the Series B, Aikido is signalling the direction that will define the next generation of application security: self-securing software. The idea is not reactive detection, but code that continuously tests and protects itself.

The first building block is Aikido Attack — AI-driven penetration testing that deploys hundreds of specialised agents in parallel to find vulnerabilities, validate exploits and verify fixes through retesting.

For organisations currently waiting on annual manual pentests, this is a paradigm shift. For clients in regulated industries that need continuous security evidence, it is the foundation for an audit trail that holds up at the cut-off date.

What the partnership means for our clients

Woodlands Advisory brings the strategic layer: risk prioritisation, integration into the ISMS, preparation for audits and cyber insurers, translation of technical findings into board- and investor-grade language. Aikido brings the platform on which that work becomes sustainable — automated, continuous and free of tool sprawl.

In practice, we apply the combination across four mandate types:

• M&A Cyber Due Diligence — A complete picture of the target's code base, supply chain and cloud posture within days. SBOMs, open vulnerabilities, secrets in code — auditable and benchmarkable against industry baselines.
• Compliance Sprint (ISO 27001, NIS2, TISAX) — Annex A.14 (Secure Development), NIS2 vulnerability management and supply chain requirements backed by continuous evidence — rather than point-in-time documents already outdated on audit day.
• vCISO Mandate — Aikido as the operational platform under vCISO leadership. We define the risk thresholds, prioritisation rules and escalation paths; the system enforces them.
• Sales Trust Engine — Defensible security evidence for enterprise buyers, complemented by Aikido-backed trust centre content (SBOM, pentest status, vulnerability posture).

Why a platform alone is not enough

Aikido delivers visibility, correlation and automation. What it does not deliver — and is not meant to deliver — is the judgement of which risk is acceptable in a specific business context. Which exceptions can be defended in front of an auditor. How a finding should be framed for an investor during due diligence without putting the deal at risk.

That is the work Woodlands Advisory does. Platforms produce facts. Strategic advisory turns them into decisions.

Next step

If you are currently operating fragmented application security and cloud security tools, building an ISO 27001 or NIS2 programme that requires continuous evidence — or evaluating a tech target as buyer or investor in the coming weeks — a conversation is worth your time.

Get in touch: Book a meeting