Aikido Security BV/Aikido Security: Zen by Aikido /Detail
Detail Updates Leaderboard
sort by
Last published
New scope: Zen for PHP
11/7/2025, 4:30:24 PM (23 days ago)

Hi all,

We're excited to launch Zen for PHP in our Zen program: https://github.com/AikidoSec/firewall-php! You can view the instructions to install firewall-php in our policy.

If you've taken a look at Zen for PHP previously, do have another look. We've introduced lots of architectural changes to Zen for PHP, summarizing them below:

  • Aikido Agent is now a standalone process, that is spawned when the PHP server starts (if the Agent is not already running)
  • There can only be one instance of the Aikido Agent and all servers are communicating with that instance
  • Zen now supports multi-site configuration (virtual hosts), each site is to be configured with a different token / env to uniquely identify the running server
  • Added stack traces to attack events
  • Hooked into PHP’s AST compile logic to inject a call to Aikido’s protection function, before PHP code is executed

We're introducing a 25% bonus for Critical+ severity vulnerabilities in Aikido Zen until 31 December 2025.

Happy hacking!

Aikido's Security Team

SQL injection bypasses back in scope for Zen, Node.js version >= 1.6.0!
12/19/2024, 3:55:47 PM (12 months ago)
12/19/2024, 3:56:34 PM

Hi all!

SQL injection bypasses are back in scope for Aikido Zen. We are starting out with Zen for Node.js (version >= 1.6.0), but we'll soon have SQL injection bypasses in scope for our Python agent again as well.

Our new SQL detection algorithm uses a tokenizer. The zen-internals repository is a great starting point to explore our new approach: https://github.com/AikidoSec/zen-internals/tree/main/src/sql_injection.

Looking forward to your submissions!

Happy hacking,

Aikido's Security Team

Aikido Firewall for Python now in scope!
9/6/2024, 10:37:35 PM (about 1 year ago)

Hi all!

A small gift just before the weekend starts: Aikido's Firewall for Python is now in scope! We've updated our policy and severity assessment around the new scope, so make sure you review them thoroughly before submitting your reports.

Looking forward to your submissions!

Happy hacking,

Aikido's Security Team

SQL injection bypasses temporarily out of scope
8/29/2024, 1:05:40 PM (over 1 year ago)

Hi all!

Bypasses of our SQL injection detection are temporarily out of scope. The development team is working on a new approach for detecting SQL injection vulnerabilities. We'll send out an update once it is in scope again, with the technical details. For now, enjoy a small sneak peek: https://github.com/AikidoSec/firewall-node/pull/349.

Thank you and happy hacking,

Aikido's Security Team

First Aikido Firewall bypass by @svennergr
6/7/2024, 4:17:20 PM (over 1 year ago)
6/7/2024, 4:18:54 PM

Hi again,

Forgot to include this in the previous message, but @svennergr found the first shell injection detection bypass this week, which we patched yesterday. You can review the patch here: https://github.com/AikidoSec/firewall-node/pull/224.

Happy hacking,

Aikido's Security Team

Launch of Aikido's Security Firewall Bug Bounty Program
6/7/2024, 3:30:38 PM (over 1 year ago)

Hi all!

Welcome to Aikido's Security Firewall Bug Bounty Program, where we hope to cover both vulnerabilities as well as vulnerability detection bypasses in our firewall. As outlined in the program's description, our firewall is a bit different than the traditional WAF, so your creativity will be very valuable for finding vulnerabilities, potential bypasses in vulnerability detection or even false positives we may trigger during detection.

If you have any (technical) questions, feel free to contact Intigriti's support team, who will forward the questions to us.

Happy hacking,

Aikido's Security Team