Attack Surface Management
,
Cloud Security
,
Security Operations

Secure-by-Design Startup Uses AI Agents to Safeguard Containers, VMs and Libraries

Michael Novinson (MichaelNovinson) •
December 16, 2025    

Echo Secures $35M to Tackle Cloud Vulnerabilities With AI
Eilon Elhadad, co-founder and CEO, Echo (Image: Echo)

A secure software infrastructure startup led by the former CEO of Argon Security raised $35 million to create a secure-by-design foundation for cloud computing.

See Also: AI, Cloud, and Cyber Threats: A Financial Sector Survival Guide

The N47-led Series A funding round will allow New York-based Echo to expand from offering enterprise-ready, vulnerability-free container images as foundational components for cloud apps to covering virtual machines and open-source libraries, said co-founder and CEO Eilon Elhadad. Echo, he said, focuses on eliminates vulnerabilities at the source rather than patching them after deployment.

“So today, we are secure and providing a container OS, but in the future, we want to expand to virtual machines and libraries and basically any resource in the cloud,” Elhadad told Information Security Media Group. “And for that, we need more engineers to expand our solution to a platform, and everything that’s running in the cloud will run on top of Echo.”

Echo was founded in 2025, employs 37 people and has raised $50 million, having last completed a $15 million seed round in July led by Notable Capital and Hyperwise Ventures. The company has been led since inception by Elhadad, who stood up software supply chain security firm Argon and sold it to Aqua Security for nearly $100 million. He spent seven years in Unit 8200 of the Israeli Military Intelligence (see: Aqua CEO on Why Cloud-Native Apps Need Supply Chain Security).

Broadening Echo’s Product Platform Beyond Containers

The company’s Series A funding round will be used primarily to expand engineering efforts and broaden their product platform beyond containers, offering support for new cloud resource types like VMs and third-party libraries, according to Elhadad. He said lead investor N47 was selected not just for their capital but because of shared values and alignment on long-term vision.

“In general, we had a high-level plan of what we do and how we will deploy the money,” Elhadad said. “And also, as a second-time founder, I can tell you that some of it is based on the demand. If you are able to capitalize more money, that will allow you to run faster. So the combination of what we planned and our ability to get a lot of inbound interest led us to do relatively big Series A.”

Open-source container images often contain hundreds or thousands of known vulnerabilities. Elhadad said enterprises often spend millions on vulnerability management programs just to keep these insecure images patched and updated, which include resource-intensive and slow internal processes for scanning and triaging.

“In the past, you worked with Linux, and then enterprise Linux came to the game with Red Hat,” Elhadad said “We are doing the same thing for containers.”

The company’s container OS is built from source code and delivered vulnerability-free, unlike traditional container images. Echo eliminates the need for organizations to retroactively scan, patch and triage vulnerabilities in container images by preventing those vulnerabilities from being introduced in the first place, he said.

“Today, Echo is providing AI-native OS for cloud applications,” Elhadad said. “And the idea is that it’s mainly focusing on containers. That means that we are bringing container images that they are clean from vulnerabilities. We feel that the market is huge, and there is opportunity to do something called secure-by-design.”

How Securing Virtual Machines Differs from Defending Containers

Unlike containers, where the customer doesn’t manage the host OS, virtual machines require the OS to include and secure the host itself, which Elhadad said makes VMs more complex. In addition, open-source libraries are often inserted directly into application layers and carry vulnerabilities that aren’t always surfaced through standard scanning tools.

“They are running some different infrastructure, and they have different things that they need to include,” Elhadad said. “There are many differences between them. It’s like, you have Windows and you have Linux. It’s two different types of operating systems that you need to support.”

When a new CVE is identified, Echo’s system triggers an AI-driven pipeline that determines which images are affected, conducts open-source research, applies patches, runs compatibility tests and creates pull requests for human review. This system allows Echo to scale vulnerability remediation across hundreds of container images, something that would traditionally require large, expensive engineering teams.

“First of all, we identify the affected images,” Elhadad said. “After that, we need to look for unstructured data sources, because there is often no clear fix of the CVE. Once we brought the patch, the agents apply the patch, run comprehensive compatibility testing, create a pull request and then a human reviews it.”

Echo’s OS is fully compatible with Debian and Ubuntu, meaning that enterprises can migrate their workloads to Echo without needing to refactor or rewrite anything, Elhadad said. Custom operating systems often require time-consuming migrations and application-level changes, he added.

“We are fully compatible with all of the major Linux distros in the market,” Elhadad said. “And all of the alternatives in the market are built on custom OS. That means the migration of the customers to our OS is straightforward, with zero friction and with the others it could take years.”