RSAC Vendor Spotlight: Echo.AI
The 80-Day Gap: How Echo Is Reengineering the Container Security Supply Chain
Container-based application architectures have fundamentally transformed how enterprises build and deploy software — and fundamentally transformed how attackers find their way in. Every container image ships with a dependency graph that reflects months of upstream open source development, and every CVE published against those upstream libraries immediately becomes your organization’s liability.
The cruel irony of modern vulnerability management is that deploying your scanner is the moment your problems become visible, not the moment they begin. Security teams running Wiz, Palo Alto Prisma, or Snyk against a mature containerized environment routinely surface hundreds of thousands of findings on the first scan. Eylam Milner, Echo’s CTO, described a major deployment scanning thousands of microservices that surfaced over a million findings.
A Pipeline Problem, not a Detection Problem
The industry’s instinct has been to invest in better prioritization: smarter scoring, risk-based ranking, contextual CVSS adjustment. That investment matters, but it misses the more intractable problem sitting upstream. When a critical vulnerability receives an official upstream fix, the average time for that fix to propagate through maintainer review, distribution packaging, and container registry publication runs between 65 and 80 days. Organizations operating under FedRAMP or similar regulatory frameworks may face seven-day SLAs for critical CVE remediation. The math on that doesn’t work.
AI-assisted code generation compounds the problem: agentic coding tools pull open source dependencies at far higher velocity than human developers, with far less accountability for what specific versions land in the build.
The CVE backlog is not shrinking — the surface area is growing faster than the remediation pipeline can clear it.
Echo’s Secure Software Factory
Echo attacks the pipeline problem directly rather than the prioritization problem. The company delivers what it calls secure-by-design artifacts — container images, virtual machine images, and open source packages built inside a hardened supply chain pipeline where AI agents continuously research, apply, test, and validate security patches before customers ever consume the artifacts.
The core technical insight that separates Echo from the scan-and-score incumbents is its commitment to backporting rather than version bumping. Where competing approaches resolve CVEs by upgrading the affected library to a newer version — a change that can silently break application dependencies — Echo’s AI-powered backporting agents extract the relevant security fix from an upstream release and apply it to the existing version, closing the vulnerability without altering the library version itself. The result is an infrastructure layer that is predictable, compatible with existing tool chains, and continuously hardened. Echo currently maintains more than 1,500 container images and 3,000 secure packages, a catalog that would be operationally impossible to sustain without AI-driven patch automation across a team of roughly 60 people.
Deployment Considerations
Echo’s integration model reflects a deliberate architectural philosophy: meet enterprises in the environment they already operate, rather than requiring them to adopt a proprietary scanning stack. Echo maintains active technical integrations with Snyk, Wiz, Orca, Palo Alto Prisma, and the major open source scanners, ensuring that when a security team scans an Echo artifact with the tool they already trust, they see accurate, contextually appropriate results. Organizations evaluating Echo should expect POC workflows that run their existing scanner against a baseline and against Echo-hardened equivalents — the delta in findings is the business case. Echo also exposes an MCP server that integrates directly with developer IDEs such as Cursor, allowing coding agents to query Echo’s secure artifact repository before pulling from upstream open source. Security teams should note that the primary buyer relationship runs through the CISO and application security leadership, but engineering teams frequently initiate the conversation, particularly in organizations facing FedRAMP hardening requirements where the DevOps organization owns the implementation burden.
Why This Matters
The container security market has spent the better part of a decade building increasingly sophisticated instruments for finding vulnerabilities. Echo’s argument — and the data supports it — is that the unsolved problem was never detection. It was the structural gap between when a fix exists in the world and when an enterprise can actually use it. Closing that gap from 80 days to 24 hours, while preserving full compatibility with the scanners, registries, and development workflows enterprises already operate, is a genuinely differentiated value proposition. For DevOps and DevSecOps practitioners, Echo represents something rare in the security tooling landscape: a solution that simultaneously reduces the CISO’s CVE exposure metrics and eliminates the Jira ticket backlog that lands on engineering teams every time a scanner runs. When security and engineering are both pulling the same vendor in, that is a signal worth paying attention to.
RSAC Vendor Spotlight: Echo.AI
The 80-Day Gap: How Echo Is Reengineering the Container Security Supply Chain
Container-based application architectures have fundamentally transformed how enterprises build and deploy software — and fundamentally transformed how attackers find their way in. Every container image ships with a dependency graph that reflects months of upstream open source development, and every CVE published against those upstream libraries immediately becomes your organization’s liability.
The cruel irony of modern vulnerability management is that deploying your scanner is the moment your problems become visible, not the moment they begin. Security teams running Wiz, Palo Alto Prisma, or Snyk against a mature containerized environment routinely surface hundreds of thousands of findings on the first scan. Eylam Milner, Echo’s CTO, described a major deployment scanning thousands of microservices that surfaced over a million findings.
A Pipeline Problem, not a Detection Problem
The industry’s instinct has been to invest in better prioritization: smarter scoring, risk-based ranking, contextual CVSS adjustment. That investment matters, but it misses the more intractable problem sitting upstream. When a critical vulnerability receives an official upstream fix, the average time for that fix to propagate through maintainer review, distribution packaging, and container registry publication runs between 65 and 80 days. Organizations operating under FedRAMP or similar regulatory frameworks may face seven-day SLAs for critical CVE remediation. The math on that doesn’t work.
AI-assisted code generation compounds the problem: agentic coding tools pull open source dependencies at far higher velocity than human developers, with far less accountability for what specific versions land in the build.
The CVE backlog is not shrinking — the surface area is growing faster than the remediation pipeline can clear it.
Echo’s Secure Software Factory
Echo attacks the pipeline problem directly rather than the prioritization problem. The company delivers what it calls secure-by-design artifacts — container images, virtual machine images, and open source packages built inside a hardened supply chain pipeline where AI agents continuously research, apply, test, and validate security patches before customers ever consume the artifacts.
The core technical insight that separates Echo from the scan-and-score incumbents is its commitment to backporting rather than version bumping. Where competing approaches resolve CVEs by upgrading the affected library to a newer version — a change that can silently break application dependencies — Echo’s AI-powered backporting agents extract the relevant security fix from an upstream release and apply it to the existing version, closing the vulnerability without altering the library version itself. The result is an infrastructure layer that is predictable, compatible with existing tool chains, and continuously hardened. Echo currently maintains more than 1,500 container images and 3,000 secure packages, a catalog that would be operationally impossible to sustain without AI-driven patch automation across a team of roughly 60 people.
Deployment Considerations
Echo’s integration model reflects a deliberate architectural philosophy: meet enterprises in the environment they already operate, rather than requiring them to adopt a proprietary scanning stack. Echo maintains active technical integrations with Snyk, Wiz, Orca, Palo Alto Prisma, and the major open source scanners, ensuring that when a security team scans an Echo artifact with the tool they already trust, they see accurate, contextually appropriate results. Organizations evaluating Echo should expect POC workflows that run their existing scanner against a baseline and against Echo-hardened equivalents — the delta in findings is the business case. Echo also exposes an MCP server that integrates directly with developer IDEs such as Cursor, allowing coding agents to query Echo’s secure artifact repository before pulling from upstream open source. Security teams should note that the primary buyer relationship runs through the CISO and application security leadership, but engineering teams frequently initiate the conversation, particularly in organizations facing FedRAMP hardening requirements where the DevOps organization owns the implementation burden.
Why This Matters
The container security market has spent the better part of a decade building increasingly sophisticated instruments for finding vulnerabilities. Echo’s argument — and the data supports it — is that the unsolved problem was never detection. It was the structural gap between when a fix exists in the world and when an enterprise can actually use it. Closing that gap from 80 days to 24 hours, while preserving full compatibility with the scanners, registries, and development workflows enterprises already operate, is a genuinely differentiated value proposition. For DevOps and DevSecOps practitioners, Echo represents something rare in the security tooling landscape: a solution that simultaneously reduces the CISO’s CVE exposure metrics and eliminates the Jira ticket backlog that lands on engineering teams every time a scanner runs. When security and engineering are both pulling the same vendor in, that is a signal worth paying attention to.