- 4 hours ago
Finding and exploiting software vulnerabilities is becoming much easier thanks to AI, bringing increased risk for developers and users alike, and putting unprecedented pressure on security teams. In this conversation, Madeline Lawrence, Chief Growth Officer at Aikido Security, joins Henri Tilloy, Partner at Singular, to discuss Aikido's meteoric rise, the case for EU-based cybersecurity sovereignty, and a bold idea reshaping the industry: software that protects itself.
Category
🤖
TechTranscript
00:26Hello.
00:28Hello, everyone.
00:30Thank you to all those of you who stayed until late this afternoon.
00:34It's great to be here.
00:37Let's start the conversation with a quick intro.
00:39So my name is Henry.
00:41I'm a partner at Singular.
00:43We are an early-stage venture capital firm.
00:46We invest all across Europe, cover a wide range of verticals, and that includes cybersecurity,
00:53where we spend a lot of our time.
00:56And today with me, we're very happy to have Madeline, who is the co-founder and CGO of
01:02Aikido.
01:04Madeline, maybe before we dive in, could we just quickly introduce what Aikido is and share
01:10maybe a few numbers or key metrics about your trajectory right now?
01:14Sure.
01:15Nice to meet all of you.
01:16I'm Madeline, one of the co-founders of Aikido.
01:18If you don't know Aikido, we are the only European unicorn in cybersecurity across software, so
01:24code, cloud, runtime, and offensive security.
01:26We're actually based in Belgium, the beautiful country of, if you've been to Ghent.
01:31We started, we got some love of grant over here.
01:33Let's go, 9,000.
01:35We started around three years ago.
01:37Today, we're more than 260 people.
01:40We're closing more than 1.5 million new revenue per week, and we secure the likes of Revoluts
01:45or the UK government or Lovable, many of the European unicorns we know and love, from Legora
01:51to N8N to companies such as the Premier League or even the American version of the NFL.
01:58So, pleasure to be with you here today and talk a little bit about the future of cyber.
02:03You also happen to be a fairly young company, an AI-native company, and now with the rise
02:09of AI, cybersecurity is under the spotlight.
02:12Can you explain quickly from what you see from the trenches with your customers and prospects,
02:17what has changed?
02:20I think that the biggest, most glaring thing that has changed with AI and cyber is people
02:26are talking about cyber.
02:28People that are not cyber people are talking about cyber.
02:31And, you know, if you're in the cyber community, which I assume a lot of you are, there's this
02:36feeling in security that it's been, you know, the kid that was invited to the party, but
02:42nobody wants to be there, but you have to invite them because your mom said you had to, right?
02:46And CISOs were maybe not considered to be legitimate C-levels, and maybe they even reported to whomever, and security,
02:53you know, never got the budget it deserved, it never got maybe the authority, it was stuck in between development,
03:00or wherever it lived in the organization, and now today, I think if you were to ask any fortune 500
03:06CEO or even many people here today who have no idea even how to spell cybersecurity, what is the biggest
03:13threat that AI poses, a lot of them would say cyber.
03:15So it's really made the idea of, are we secure, are we at risk, and where does that risk live,
03:22how do we find it and fix it, a number one topic across the board, which frees up a lot
03:27of budget, and a lot of urgency, and a lot of attention on that topic.
03:30And maybe, what about the SMB segment?
03:33As a company, you started with a lot of inbound selling to specifically that customer segment.
03:38Like, what about them?
03:39They used to not be in their attack, and it seems like everyone is going after them.
03:43I have this saying at Aikido, which I said it today, and someone's like, did ChatGPT write that?
03:48I was like, I take offense to you asking me that.
03:51But it's just because it rhymes.
03:53But the saying is, you know, cyber used to be an enterprise problem, and today, maybe after the past 24
03:59months, it is an everyone problem.
04:02Meaning that, traditionally, cyber security was bought by, you know, enterprise CISOs because they needed to, you know, they had
04:09to, for liability reasons.
04:12Today, think about the SME market, think about the mid-market, where maybe they only were purchasing or thinking about
04:19security because they were forced to because of SOC2 or ISO compliance.
04:22Think about maybe even individual developers or maybe open-source maintainers who now the security of their project or what
04:30they're building is also paramount in their mind.
04:33And when we started Aikido, we were, you know, we were founders of these smaller, mid-sized software companies.
04:40We were spending $100K on this and $100K on that and $50K on this.
04:45It made no sense, you know.
04:47We had no knowledge you try to use these tools without being an enterprise expert, and you just feel, you
04:53feel, I mean, dumb.
04:55Like, you're like, well, what are all these acronyms?
04:57Cyber was such a niche, incredibly abstracted industry only for those Fortune 500.
05:06And part of the reason we started Aikido was to, I hate the word democratize because I think it says
05:11a lot but it doesn't mean too much,
05:12but was to really solve security, you know, for the mid-market, for the SMBs, looking forward to the future
05:19of development,
05:20which might not even be developers at all.
05:22And in order to do that, we really had to re-approach, you know, where does the burden of this
05:27work happen?
05:28What is the language we need to use?
05:29How do we really create and secure a market that never has been before?
05:35Are you also saying that it makes sense to be a platform if you don't want to procure all these
05:39tools individually from one another?
05:41Like, is there a sense of consolidation in this space?
05:44Yeah.
05:45If you read any of the earnings calls from any of the big cyber companies, I'm really fun at parties
05:50because I do that.
05:52But if you read, you know, the earnings calls from Cloudflare, Palo Alto Networks, even Datadog, huh?
05:56And you command F or you could, you know, copy and paste it into whatever AI tool you're using and
06:02you search the word platform,
06:03it'll appear probably more than, more as much as AI.
06:08I think when it comes to the conversation overall with development and AI fuel development and how that converges with
06:14cyber,
06:15the one thing that people are now agreeing upon is context will win.
06:21And the way that we've approached technology, especially cyber, but even development, has been through these very narrow lenses.
06:28You know, you have your code security, then your open source security, then you have your even container scanning,
06:34which might even be different.
06:34You have your this and your that.
06:35And you have all of these kind of different acronyms and different layers,
06:39which are all kind of different ways of looking at the same thing.
06:42We decided that we need a platform first and foremost because we need to get rid of all these layers.
06:47It's the only way to actually have an effective, you know, software security system.
06:52And I think in the past year with sort of agents becoming as well, the hot topic, the future of
06:57work being done by agents,
06:59what is going to make the most performant future technology?
07:03It is having both breadth and depth and being platform first and being first to that bet as well at
07:11Aikido has definitely been big for growth.
07:13So collecting as much context as you can from code, cloud, supply chain packages.
07:18The only other company in cyber that has done a platform approach like we are today has been Palo Alto
07:23Networks for the past 10 years.
07:26And I had the unfortunate, I missed Nikesh.
07:29I was at an event with him like two weeks ago and I was like, oh God, what should I
07:32say to him?
07:33And I was going to be like, we're the next gen Palo Alto Networks.
07:36But I'm thinking now if I see him again, I'll say, you're the legacy Aikido.
07:40But I won't make any friends saying that, I think.
07:43And so we talked about SMB and I think there's, if you talk about, let's talk about the very, very
07:48bottom, like the tiny, tiny, tiny businesses.
07:50I'd love to double click on, you have a native integration with Lovable.
07:55Lovable is, I think everyone knows, like probably the most popular Vibe coding tool out there.
07:59And it's really interesting because people build applications for themselves, for their companies, and even these applications need to be
08:05secure.
08:06Just curious if we could double click on like, what does it mean for them?
08:08What do you see from them?
08:10What is the need?
08:13So, Lovable is quite the story in terms of their own growth.
08:18And is everybody here built with Lovable?
08:20I hate the show of hands thing, but like, if you built with Lovable, can I see a hand?
08:23Aye, not that many.
08:25Okay, you guys should go sign up, by the way.
08:27It's pretty fantastic.
08:27But when the new homepage of the internet, you know, look at any big company, Figma, even Canva, Vercel, when
08:35the new homepage of the internet is, what do you want to build, like Lovable's is, you're opening, essentially building
08:42software to a market that has never been able to build software.
08:46Because, you know, I'm not a software developer.
08:48And now, I've actually built and shipped my own application, even have payment flows.
08:52I have my own custom database, the whole bit.
08:55So, Lovable is the other, there's two companies in Europe that have a .dev domain, so .developer, valued at over
09:02a billion, Aikido and Lovable.
09:03So, we've been close to them for a while, and I got a call or a Slack message from the
09:07CISO maybe a year ago, who's like, you know, one of the biggest things standing in between us and further
09:13growth is people saying, okay, well, it's Lovable, as in I love it, but can I trust it?
09:19And security and trust being the barrier to adopt AI at scale, especially at enterprise scale, but even at that
09:26individual scale.
09:27So, now, if you do build with Lovable, which I recommend that you do, and you're going to publish your
09:31application, it'll actually say, before you publish, you know, test it with Aikido.
09:36And what that product does is it actually spawns agents that we've trained to act like attackers, and they attempt
09:42to break into your application, sort of a pen test.
09:45But the big vision, and I think what was really interesting about that partnership and what that speaks to the
09:50future is twofold.
09:53One, you know, these tools being adopted in existing enterprises, enterprises, especially, you know, things like a McKinsey or a
10:01lot of blue-collar, right, enterprises that have to answer, what's your right to win in the AI world?
10:07How are you adopting AI?
10:08How are you becoming an AI-first enterprise?
10:10And a big part of that is, well, we want to adopt these AI tools.
10:14We want to be able to enable everybody to build, but can we trust it?
10:17So, security helps to actually enable AI adoption at scale.
10:20That really sounds like a buzzword.
10:22And on the other hand, I think that the partnership and companies like, you know, Lovable, Proof, maybe the future
10:28of development is not at all technical.
10:30Maybe the rise of the citizen developer, which is what a lot of people are calling people building software that
10:35aren't necessarily developers, is going to take over and be the predominant way that tech is built and consumed.
10:42And how can we think about securing both of those at the same time, the old enterprises or the legacies
10:49and the future non-technical?
10:52And on this, because we also talked a little bit about AI and the risks.
10:57We talked about AI.
10:58I hadn't remembered yet.
11:00Like, what about, which happened like a bomb, like a few weeks ago, what about Cloud Mythos, right?
11:05Like, it finds all these crazy vulnerabilities that no one was able to find, even in Linux, you know, things
11:11that have been around for decades.
11:13Is this good news because it's going to find all the vulnerabilities and we don't need to care about security?
11:19Is this bad news because this is in the hand of attackers and, like, we're all going to get screwed
11:23and breached?
11:24Like, what does it mean for you as a security company?
11:26How is this space changing?
11:30Well, first off, I think Mythos and generally what Anthropic has been doing in the security space is what I
11:36would call an absolute master class in marketing.
11:40I think BBC was the news outlet that covered it last week when Mythos or Fable was released and it
11:46was like, model too dangerous to release to public is released to public.
11:51You know what I mean?
11:52Build something, say it's going to change the face of the world, but only five people are allowed to access
11:57it and not you.
11:58Beg for it to be regulated and release it to the public.
12:01Have it be regulated.
12:03And now whenever anybody uses, you know, Cloud, you open your Cloud and it's like you're not allowed to access.
12:06I mean, you really, that is the perfect example of how to make somebody want something.
12:11But if we talk more seriously, I think what Mythos has done is, one, you know, connecting it to that
12:16first topic, it's made cyber a household topic and a household concern and it's built urgency.
12:23On the second, I mean, speak to those who have tried the model or if you had while it was
12:28available or those who have, for example, tested it.
12:30It's not itself a revolutionary model.
12:33Mythos will not change the world.
12:35But what it is important for and what it does represent is there are capable and increasingly capable models and
12:44what do those allow and what do those enable that was not previously possible.
12:50Part of that is indeed, you know, finding vulnerabilities, you know, complex vulnerabilities that live between services and code bases
12:57and whatnot that were not found in code.
13:01The other thing that makes possible is, you know, exploiting those a lot easier.
13:05It's changed the economics of cyber in every form.
13:10If I was a hacker, I wouldn't go after whatever, you know, company you have.
13:15I would be going after Goldman Sachs.
13:16But now I have a 25-euro subscription and I can take a nap and my agents that I've trained
13:22in jailbreak can execute attacks on companies of all sizes.
13:26That makes it potentially profitable for me as a hacker to go after the SMB to the mid-market.
13:31And, yeah, so maybe to make a long monologue shorter, what Mythos does and what it represents is I think
13:39it's rightly created urgency and awareness around cyber is changing and people who didn't have to care about it before,
13:46companies who didn't have to care about it before, do now.
13:49And, two, it doesn't matter what model it is, if it's Mythos, if it's Kimmy, if it's DeepSeek, if it's
13:54whatever, any level of advanced AI can be used both to defend, which we hope to be the front of
14:01that, but it can also absolutely be used to attack even the most basic things and really compromise companies or
14:08supply chains as a whole.
14:09So you've got to be covered.
14:10You've got to have something.
14:12You cannot just ignore security.
14:13No, and it's not going to be, like, the novel things.
14:16Like, I think security as an industry, we love to talk about fear and risk.
14:21And so many cyber conversations or vendors, it's all about, even you sometimes do this.
14:26You're like, there's these new novel, crazy attack factors that are possible with AI.
14:31And, yes, there are.
14:32And, yes, our research team is also finding them and we're helping to protect against them, and many of you
14:36are.
14:37But the reality of the matter is you're most likely to get breached because you downloaded a bad Chrome extension,
14:44because you don't use a password manager.
14:47The biggest threat to probably yourself is, I don't know, falling for a spam email and putting in your bank
14:52credentials.
14:53This is really boring stuff.
14:55You know, think about if you do have a code base, vulnerabilities that have been there for years that you
14:59know about,
15:00but you're like, it's tomorrow's problem.
15:01The big threat that AI poses in cyber is not today or maybe even tomorrow, these, like, incredibly complex cash
15:11poisoning with agents and whatever.
15:13It's all the things that we have not been doing really well because we've been lazy or sloppy or too
15:19busy or whatever are now going to become a problem today.
15:23It's yesterday's problems are now possible of today's issues.
15:27It's also code, right, because AI is completely changing or revolutionizing the software development life cycle.
15:33There's more code that's written by cloud, by AI, codex, whatever you might be using.
15:38All this code is shipped to production.
15:40That code has to be secured one way or another.
15:44And so as a company, you introduced a concept of self-securing software.
15:49I'd love for you to double-click on that and explain what is the vision behind this.
15:53And why we need software that secures itself?
15:57Yeah, potentially have tons of vulnerabilities.
15:59Why should it secure itself?
16:00Why shouldn't a human review that?
16:01Yeah.
16:03I think it goes down to, like, what is the problem at hand?
16:06Aside from, you know, you probably need to use a password manager to change your passwords.
16:11But what's the problem at hand in software and companies building software today?
16:15is at the pace that vulnerabilities are potentially discovered and exploited,
16:21at the pace that development is happening and increasingly happening,
16:26at the fact that there is no choice but to move at that pace,
16:31or your competition will beat you.
16:34This kind of classic dialectic between speed and security,
16:38which is like, you know, choose, you know, speed or security.
16:42It's been like, you know, the number one topic in software and security to date.
16:46We need to resolve it once and for all.
16:48So if development is going to be happening at the scale 10x, 20x, 100x as it is today,
16:54if that is going to become more autonomous,
16:57maybe not even developers reading or writing or reviewing that code,
17:00and if we are going to be faced with, at every phase,
17:05people or attackers or their agents, you know, attacking us,
17:07then we need to somehow build security into the build flow
17:11as fast as code is generated and shipped.
17:14What that looks like for what we're building,
17:16and that can take different forms, is, you know,
17:18every time you push a new change, we, you know, are the agents,
17:22you know, whatever, Aikido, looks at that code, identifies,
17:25all right, this is just changing the color of a button,
17:26we don't need to token max on that,
17:29but this actually can change your attack surface.
17:31And let's now spawn new agents to attempt to actually exploit that,
17:36you know, in a staging or near production environment.
17:38Let's also then figure out, okay, that was exploitable,
17:41and here's the patch, and now you can auto-create those PRs.
17:44And so what all that, you know, terminology means is
17:47when software changes, it tests itself, it fixes itself,
17:52it validates those fixes, and it pushes a new version,
17:56and it can even deploy itself.
17:57The future might even be self-maintaining software
18:00if we want to go out of the world of security.
18:02We need that now because with how fast everything is moving
18:06and how fast we have to keep moving with it or else,
18:09or else, yeah, it's sort of a, it's a necessary framework.
18:15I see.
18:16Last, because I know we only have a few more minutes,
18:19I'd love to talk about Europe and sovereignty.
18:25Before I worked at Singular, I used to do M&A
18:29for a big, large tech company in the U.S. called Datadog,
18:32and a big part of our mandate was security.
18:34And so we would look at a lot of security companies all over the world,
18:38and I think 80% of them would happen to be in Israel,
18:42and the other 20% was on the West Coast, right, give or take.
18:47And Europe has been, historically so far,
18:50on cloud security, code security, like fairly weak.
18:54You today, you are the fastest-growing cybersecurity company
19:00in the world, and you were born in Ghent,
19:03a small village in Belgium.
19:06Like, why is that?
19:07What makes you so successful?
19:09How do you manage to be credible in front of everyone around the globe?
19:13And especially people who weren't used to buy software from people like you.
19:21You did our Series A, so I hope your LPs are happy one day because of that decision.
19:28And the conversation when we were starting Aikido
19:30and we were doing our initial fundraising is very different than it is right now
19:34because growth and revenue answers a lot of questions for people.
19:37But the questions we were getting being, you know, an aspiring cybersecurity company
19:42starting from a small Belgian town were pretty much like,
19:48well, you don't have any cyber background,
19:51you're not from the Israeli military,
19:54or you haven't worked at Palo Alto Networks,
19:58you don't know any, you don't even know a single CISO,
20:02and you're planning on doing, like, product-led growth?
20:05You don't even have, like, a sales team?
20:06And we're like, yeah, yeah, yeah, yeah, yeah, yeah.
20:08I mean, all that's true.
20:09And that was, and that still today is true.
20:12And I think what, this is a point that I speak,
20:15that I hope a lot of European founders,
20:17especially ones that have not yet kind of crossed the product-market fit chasm
20:21and are still building,
20:22there's so many people and there's so many founders
20:25that still focus a lot on the disadvantages of their situation,
20:29the disadvantage of building in Europe,
20:31even if they don't think it is, versus building somewhere else,
20:33the disadvantage of a smaller home market,
20:36a more fragmented continental union market
20:38of not having this or not having that or not being this.
20:41Those things became, or rather, those perceived disadvantages to us
20:47forced us to actually change the model of security
20:51and achieve, I think, what we're able to do today.
20:53It forced us to think, okay, we don't know CISOs,
20:56well, we're not building for them anyway.
20:58We're building for what we know, developers, CTOs,
21:01VP engineerings, SMB, mid-market companies.
21:04We know them better, so let's focus there.
21:06We don't have a sales team.
21:08Okay, maybe we need to hire some people,
21:09but maybe we need to actually figure out how they can find us,
21:12how we actually have a freemium and a self-service product.
21:15Okay, we're not Israeli, we're not American.
21:18We're going to have talent that we hire
21:20that has none of the prejudices or learned frameworks of cyber,
21:24and we can completely rethink what does it mean to build and sell
21:28and become a successful cybersecurity company.
21:31So, yes, I think what I'm trying to say
21:36is everything was stacked against us,
21:38and we figured out a way.
21:40It forced us to figure out how to make that actually the things
21:44that are our competitive advantage.
21:47So find what your disadvantage is
21:48and make it a unique competitive advantage,
21:50especially if you're building in Europe
21:52in an industry that has never seen a European champion.
21:56And your number one country
21:58from a revenue contribution standpoint is the U.S.
22:01Do you see any market pull in Europe
22:03because corporates, customers are looking for a European vendor, specifically?
22:08Sure, absolutely.
22:10I don't like this trade-off between it's not as good,
22:13but it's European.
22:13We will never settle for that.
22:15We're going to be better, and we will win by merit.
22:18But, yes, I mean, a huge topic here at VivaTech
22:22is digital sovereignty.
22:24What are the critical industries
22:27and the critical parts of our economies,
22:29our societies, our companies
22:32that we need to ensure that we have independence over,
22:36a protected future over, right?
22:38And when something like cyber, which is, are we safe?
22:43When that question is answered for Europe
22:45and European companies exclusively by Israeli and Americans,
22:49in a day like this,
22:52a lot of big enterprises are feeling uncomfortable
22:54with that dependence,
22:55and the need to be able to be independent
22:58and to be strong
22:59and to compete at a global scale
23:01in one's own security
23:02is a huge topic
23:04and a big part of our focus on the enterprise speed.
23:07So we can build infrastructure software
23:09and cybersecurity giants from Europe.
23:11Yeah, do you think that fits on a T-shirt?
23:13I'll make them if it does.
23:15All right.
23:16And just to finish and to wrap up,
23:17what is next for Aikido?
23:19How do you see the next couple of years?
23:22When somebody thinks
23:24who are the generational European companies,
23:26who are the strongest AI companies in the world,
23:29they're going to think Eleven Labs,
23:33they're going to think Lovable,
23:34and they're going to think Aikido.
23:35Absolutely, I think,
23:36becoming a household name championing
23:38the fact that we can build giants
23:40from cities of 200,000 people called Khentz
23:44that people think I'm sneezing when I say it,
23:46and to bring the vision of self-securing software
23:50and the future of development
23:51to everybody from individuals to enterprises.
23:56Cool, awesome.
23:57We're right on time,
23:58so thank you so much, Madeline,
23:59for sharing this story.
24:00and nice to meet all of you.
24:01See you later.
24:02Cheers.
Comments