Aikido Security alternative: Fleuret AI as the specialist agentic pentest pick (2026)
Too long?
Ask an AI to summarize this article.
TL;DR
Aikido Security is the fastest European cybersecurity unicorn of 2026, with 50,000+ organisations on the platform and 5× revenue growth. The pitch is consolidation: SAST, DAST, IaC, container scanning, secrets, cloud posture, plus an AI pentest module (Aikido Attack), all in one UI. For an EU mid-market CISO choosing between consolidate-vendors and specialist-pentest:
- Pick Aikido if the buying logic is "consolidate 9+ point-tools into one suite", the org has not yet shipped a mature AppSec programme, and the secondary AI pentest module is good-enough for the current threat model.
- Pick Fleuret AI if pentest is a primary buying centre (not a module), continuous agentic depth + signed audit PDFs + DORA / NIS2 mappings are non-negotiable, and the SAST / cloud / runtime layers are already covered by other tools.
Both ship in EU mid-market. The decision is whether pentest is a feature in a suite or a specialist deliverable in a compliance workflow.
Why CISOs search "Aikido alternative"
The query is common at two profiles:
- Pentest-heavy buyer. A buyer whose binding requirement is depth on pentest specifically, not breadth across AppSec, finds Aikido's consolidation pitch under-spec for the pentest module and goes looking for a specialist.
- Auditor-driven procurement. A buyer whose procurement gate is "what does this look like in a regulator audit" finds Aikido's SOC 2 / ISO 27001 framing strong but wants a vendor that ships DORA Article 24 / NIS2 Annex I mappings by default.
- Sovereignty-strict review. Aikido has EU hosting available; some EU regulated buyers prefer a French-headquartered specialist with documented open-weight LLMs over a Belgian unicorn with broader suite logic.
Aikido Security: the reference, in one paragraph
Aikido Security is headquartered in Ghent, Belgium, founded by Willem Delbare and team. The company hit unicorn status faster than any other European cybersecurity firm in 2026, with 50,000+ organisations using the platform and revenue roughly 5× YoY. The product is a unified AppSec suite covering SAST, DAST, SCA, IaC scanning, container, secrets, cloud posture, plus the Aikido Attack agentic pentest module. EU + US hosting flexibility, SOC 2 and ISO 27001 certified. The buying logic is "one platform replaces 9+ point tools".
Side-by-side: Fleuret AI vs Aikido Security
| Axis | Fleuret AI | Aikido Security |
|---|---|---|
| Headquarters | France | Belgium |
| Scope | Agentic pentest specialist (web app, API, infra) | Unified AppSec suite (SAST/DAST/IaC/container/secrets/cloud + AI pentest module) |
| Pentest module orientation | Pentest is the product | Pentest is one module among 9+ tools |
| Architecture | Multi-agent hierarchical (recon, plan, exploit, validate, sign) | Aikido Attack agent + suite components |
| LLM stack | Open-weight (gpt-oss-120b, Kimi K2.5, Mistral) on Scaleway France | Disclosed within product security pages |
| DORA / NIS2 eligibility | Yes, with shipped Article 24 / Annex I mappings | Yes, EU hosting available |
| Default report format | DORA Article 24 + NIS2 mappings, Ed25519-signed PDF | SOC 2, ISO 27001 mappings within suite |
| Compliance workflow surfaces | Jira ticket creation, audit PDF, board export, weekly re-test by default | Suite-wide ticketing + remediation across all modules |
| Buying logic | Specialist deliverable, auditor + CISO-led | Consolidate vendors, dev + security-led |
| Continuous cadence | Weekly or per-deploy on Continuous tier | Continuous across all modules |
| Pricing transparency | Public tiers (POC €3k / Starter €10k/yr / Growth €25k/yr) | Mid-market suite pricing |
| Best-fit ICP | EU regulated mid-market with DORA / NIS2 scope, pentest as primary buying centre | Mid-market consolidating 5+ AppSec tools into one |
A few reading notes.
Specialist vs suite. This is the question. A specialist agentic pentest with shipped DORA / NIS2 mappings versus a unified AppSec suite where pentest is one module among many. Both are valid. The right answer depends on what the rest of the buyer's stack already covers.
Scope clarity. Aikido's scope is breadth: 9+ tools in one UI. Fleuret's scope is depth: agentic pentest with end-to-end recon-to-signed-PDF. If the buyer already has SAST + cloud + container under control, Aikido's suite logic loses some of its leverage and the pentest-module question becomes a head-to-head with Fleuret.
Sovereignty posture. Both are EU-headquartered. Fleuret runs documented open-weight LLMs on Scaleway France. Aikido provides EU hosting and documents its security stack. For EU AI Act high-risk audit preparedness from August 2026, ask both for model identifier / version / training data / inference location disclosure at the same depth.
Architecture differences that matter at scale
Specialist agent depth vs suite module depth. Fleuret's multi-agent hierarchical engine is built end-to-end for pentest. Aikido Attack is one module inside a suite optimised for breadth. The benchmark question is what validated-finding rate Aikido Attack delivers on identical scope vs Fleuret, with both vendors running on the same target.
Workflow surfaces inside vs across modules. Aikido's ticketing and remediation work across the whole suite, which is a real strength when the buyer wants one queue for SAST + pentest + cloud findings. Fleuret's workflow is pentest-deliverable-first: Jira ticket per finding with severity + PoC, signed audit PDF, board export, weekly re-test. Different operating models, both legitimate.
Compliance mapping defaults. Fleuret ships DORA Article 24 and NIS2 Annex I mappings on the default audit PDF. Aikido ships SOC 2 and ISO 27001 mappings at the suite level. Buyers with a specific DORA or NIS2 mandate often find Fleuret's default closer to their auditor's expectations without configuration.
Buying guide
Mid-market consolidating 5+ AppSec point tools into one platform. Aikido is the direct fit. Suite logic, broad coverage, fast time-to-value.
EU regulated mid-market 300-5000 employees, DORA / NIS2 scope, pentest is primary buying centre. Fleuret is the direct fit. Specialist depth, shipped regulatory mappings, signed PDF defaults.
Dev-team-owned security, code-cloud-runtime is the buying logic. Aikido covers more of the stack in one UI, faster to onboard. Fleuret often complements at this profile, plugging in for the pentest layer specifically.
Auditor-driven procurement where the report must map directly to DORA Article 24 / NIS2 Annex I without manual reformatting. Fleuret leads on shipped-by-default. Aikido is a fit if the buyer is willing to map findings to regulatory annexes during the procurement cycle.
What each vendor does best
Aikido Security. The "everything platform" play. 50,000+ organisations use the broader suite. Strong fit when the buying logic is "consolidate vendors", not "pick the best pentest". EU + US hosting flexibility, SOC 2 / ISO 27001 mature.
Fleuret AI. Sovereign-by-default specialist agentic pentest with the compliance workflow (Jira, signed audit PDF, board export, weekly cadence) wired in on the default Continuous tier. Best fit when pentest is a primary buying centre and DORA / NIS2 deliverables are non-negotiable.
What to verify before signing either
Two checklists before the product demo:
- The 7-question sovereignty checklist for legal-review pre-clearance.
- The 7-question workflow-lock-in checklist for operational fit.
For Aikido Security, also ask:
- What is the Aikido Attack module's validated-finding rate compared to a specialist agentic pentest on identical scope?
- How does the suite map findings to DORA Article 24 / NIS2 Annex I if the buyer is regulated?
- What is the path to plug a specialist pentest tool into Aikido's ticketing if the Attack module is under-spec for some scopes?
For Fleuret AI, also ask:
- When does Fleuret recommend a buyer pick Aikido instead — what scopes does the suite cover better?
- How does Fleuret coexist with an Aikido deployment when the buyer wants both?
- What is the specialist depth on agentic pentest that justifies a standalone purchase over a suite module?
Both are valid EU mid-market answers. The honest answer to "Aikido alternative" is Fleuret AI when pentest is a primary buying centre, not a feature in a wider suite.
Related reading
- XBOW alternative in Europe: 5 agentic pentest tools EU regulated buyers actually consider
- Sovereign EU AI pentest in 2026: why CLOUD Act, Schrems II, and the EU AI Act disqualify US providers
- The pentest moat is workflow lock-in: Jira, audit PDF, board export, weekly re-test
- Agentic AI pentesting explained
- DORA penetration testing requirements: what financial entities must do in 2026