How Aikido Uses AI
Aikido uses AI throughout the full software development lifecycle. It starts in the IDE, continues in pull requests and scans, helps teams fix and enforce security standards, and extends into runtime protection and pentesting.
We never use, store, or train on any customer data. Small, anonymized code fragments may be used to guarantee the accuracy of triaging and fixing vulnerabilities.
All AI operations are inference-only, meaning data are processed transiently in memory and never retained or reused.
For a detailed overview of our controls, environments, and compliance measures, please refer to our AI Policy, available upon request through our Trust Center.
AI across the SDLC
From first code to production, Aikido uses AI to:
prioritize issues early
interrogate findings with contextual AI chat
analyze dependency CVEs against real code usage
generate and refine fixes
generate API specs
enforce custom code and cloud rules
learn repo-specific standards through extra code context
track AI usage in production
validate security with AI-powered pentests
1. Start in the IDE
Aikido brings AI directly into the IDE. Developers can prioritize findings and apply fixes before code reaches a pull request.
Read Aikido AI in IDE.
2. Reduce noise during scans and review
As code moves through scans and pull requests, Aikido uses AI to cut noise and surface what matters first. It checks exploitability, reads real code context, and reprioritizes issues based on likely impact. Check out Denoise via SAST AutoTriage.
Aikido applies the same approach to secret findings. Secrets AutoTriage filters out false positives and prioritizes exposed secrets by whether they are still active and how much access they grant.
For dependency findings, Aikido also runs CVE Exploitability Analysis. It uses AI agents to inspect how a vulnerable package is used in your repository and decide whether the CVE is actually exploitable in your environment. Based on your settings, Aikido can downgrade, upgrade, snooze, or ignore the finding automatically.
When you want to inspect one finding in more detail, use Ask Aikido: Contextual AI Chat. It helps you validate severity, understand realistic attack paths, and ask whether an issue is actually reachable or exploitable in your app. For dependency CVEs, it can also explain the reachability path and the full impact of the vulnerable package in plain language.
Code Quality is also AI-powered. It reviews newly introduced pull request changes and helps enforce engineering standards across many languages. More info in Code Quality Overview.
You can also add extra code context. This gives Aikido AI more signal and less noise. Use it to explain accepted exceptions, architectural choices, and repo-specific standards. Aikido then uses that context to make Code Quality comments more relevant. Check out how to Add Extra Code Context.
3. Fix issues with AutoFix
Aikido generates reviewable fixes for code, dependencies, infrastructure, and containers. You can apply fixes in the IDE or open pull requests for review.
You can also refine generated fixes with follow-up instructions, so the patch better matches your codebase and standards.
Read AutoFix Overview, AutoFix for SAST and IaC Issues, AutoFix for Open Source Dependencies, AutoFix for Containers, and Refine AutoFixes with Aikido AI.
4. Generate specs and enforce policies
Aikido can generate an OpenAPI specification directly from backend code. That helps teams start API scanning without maintaining the spec by hand.
Aikido also uses AI for custom rule creation. Teams can define custom code checks in natural language and generate custom cloud misconfiguration checks for their environment.
Read Add Custom Code Rules and Custom CSPM Rules.
5. Track runtime AI usage
Zen Firewall tracks LLM provider usage, model activity, token consumption, and estimated cost. That gives teams visibility into how AI is used in running applications.
6. Validate security with Pentests
Aikido Pentest uses autonomous agents to discover, exploit, and validate vulnerabilities across applications, APIs, and infrastructure.
Read Pentest Overview.
Last updated
Was this helpful?