By With 30,000 CVEs catalogued last year and projections pointing toward millions annually, security teams cannot patch their way out of the problem. The traditional shift-left model assumes engineers can triage and remediate faster than vulnerabilities are discovered, and that assumption no longer holds. Organizations running containerized workloads and open source libraries are consuming unvetted dependencies from the internet, often without visibility into what those packages contain or where they come from.
In this interview on TFiR, Eilon Elhadad, Co-Founder and CEO at Echo, breaks down why reactive vulnerability management is failing enterprise teams and how a secure-by-design consumption model for containers and open source libraries changes the equation entirely.
Guest: Eilon Elhadad, Co-Founder and CEO at Echo
Show: TFiR
Here is what every platform engineer, DevSecOps practitioner, and cloud security team needs to know.
Technical Deep Dive
Q: What is Echo and what problem does it solve for enterprise security teams?
Eilon Elhadad, Co-Founder and CEO at Echo, built the company to address the core failure of reactive vulnerability management: organizations cannot patch CVEs faster than they are discovered. Echo provides enterprise-vetted, pre-patched container images and open source libraries so teams consume clean dependencies from the start rather than chasing vulnerabilities after they appear in scanners. The model shifts the security burden from ongoing remediation to trusted-source consumption.
“You are consuming everything you need from a trusted source, so your visibility dashboard will show that it is clean.” — Eilon Elhadad, Co-Founder and CEO, Echo
Q: Why is the current CVE volume making traditional vulnerability management unsustainable?
The NVD catalogued roughly 30,000 vulnerabilities in the past year alone, and Elhadad projects the number will reach into the millions annually within a few years as AI models accelerate vulnerability discovery. No engineering or security team can maintain the staffing or tooling to triage and patch at that rate without a fundamental change in how software dependencies are consumed. The gap between discovery velocity and remediation capacity is the core structural failure the industry is now confronting.
“In the last year, 30,000 vulnerabilities were identified by the NVD, and projections suggest that number could reach millions per year within a few years. Organizations simply cannot keep up.” — Eilon Elhadad, Co-Founder and CEO, Echo
Q: What is the scope of the software supply chain attack surface when containers and open source libraries are included?
Elhadad describes the attack surface as encompassing the entire container layer and every open source library those containers depend on. Echo started with containers because that was the most immediate entry point for attackers, but customer feedback quickly revealed that the attack path extends into the underlying libraries as well. A container image can aggregate dozens of open source packages, each with its own vulnerability history, and most teams pulling images from public registries have limited visibility into the provenance or patch status of those components.
“The attack path doesn’t stop in the container itself. It also expands to the open source libraries, so we started patching libraries and trying to prevent all those supply chain attacks.” — Eilon Elhadad, Co-Founder and CEO, Echo
Q: What does secure-by-design consumption mean in practice and how is it different from shift-left security?
Shift-left security moves vulnerability scanning earlier in the development pipeline, but the engineering team still owns the remediation work. Elhadad’s secure-by-design model removes that burden entirely by making Echo the trusted upstream source. Teams pull container images and libraries from Echo’s portal rather than public registries, and those artifacts have already been patched before consumption. The visibility dashboard then reflects a clean state rather than a backlog of open CVEs.
“It’s not shift left anymore, shift right. You are consuming from a trusted enterprise source everything that you need.” — Eilon Elhadad, Co-Founder and CEO, Echo
Q: How does the Echo portal and mirroring workflow actually work for an engineering team?
Customers access the Echo portal and initiate a mirroring process that pulls all available patched images into their own organization’s registry. If a team needs an image that is not yet in the mirrored set, they submit a request via API and receive the patched image into their registry quickly. Elhadad emphasizes that Echo builds its images from source and from upstream so that the resulting artifacts are fully compatible with the upstream originals, requiring no changes to existing Dockerfiles or deployment configurations.
“When the customer goes to our portal and does something called mirroring, pulling all of the images to his organization, he will have everything ahead.” — Eilon Elhadad, Co-Founder and CEO, Echo
Q: How does Echo differentiate from Chainguard or Minimus on implementation complexity?
Elhadad positions Echo’s primary competitive differentiator as time to value. Because Echo builds images to be fully compatible with their upstream equivalents, organizations do not need to modify application code, Dockerfiles, or deployment pipelines to adopt them. He contrasts this with competitors where migration requires significant rework. The claim is that Echo images work as drop-in replacements, reducing the adoption barrier that typically stalls enterprise security tooling deployments.
“Compared to the competitors, we don’t need a long time of implementation. The organization just consumes us and it will work like magic out of the box because we look exactly like the upstream.” — Eilon Elhadad, Co-Founder and CEO, Echo
Q: What real-world results have customers seen deploying Echo in production?
UiPath, a public company, deployed Echo across hundreds of container image types representing tens of thousands of microservices and achieved near-full deployment within one quarter, including rollout to their own customer environments where Echo is now bundled with the UiPath platform. EDB, which develops the Postgres database, reported saving more than 200 engineering hours per release cycle after integrating Echo. Elhadad also notes that in both cases AI agents within customer environments now use Echo as the trusted source when building software.
“EDB basically developing the Postgres database, and the CISO mentioned that they are saving more than 200 hours of engineering every release. That’s a huge thing.” — Eilon Elhadad, Co-Founder and CEO, Echo
Q: How does Echo handle upstream open source collaboration and CVE contribution?
When Echo identifies a vulnerability where the upstream maintainer lacks the resources to produce a patch, Echo writes the fix independently and contributes it back to the upstream project. Elhadad cited a recent CVE discovery made in collaboration with a partner called Sierra, which was disclosed to the community, and active work with the Debian community on a contributed patch that was pending public announcement at the time of recording. The company views upstream contribution as a core part of its operating model rather than an occasional gesture.
“We patched by ourselves and of course immediately we contributed to the upstream. We are trying to be as collaborative as we can with the upstream.” — Eilon Elhadad, Co-Founder and CEO, Echo
Q: How does Echo use AI agents internally to handle patching at scale?
Elhadad is direct that the patching operation would not be economically viable without AI automation. Echo’s engineering team has built AI agents that perform the patch analysis, apply fixes, and generate images autonomously, with security engineers and humans in the loop for oversight rather than execution. He states that five years ago the gross margin required to run this operation manually would have made the business model unsustainable. The AI-native approach is what makes it possible to deliver patched artifacts at the scale current CVE volumes demand.
“We have an amazing group of engineers that built AI agents that do the patching, do the analysis, create the images. The majority of the work is done by AI agents while we are sleeping.” — Eilon Elhadad, Co-Founder and CEO, Echo
Q: How do CRA and FedRAMP compliance requirements change how organizations approach container security?
Elhadad describes the EU Cyber Resilience Act as functionally equivalent to FedRAMP in its market effect: if an organization wants to do business with large enterprises or government entities, certification and compliance become non-negotiable prerequisites. He frames regulation not as a burden but as a forcing function that removes the internal debate about whether to invest in supply chain security. Organizations that previously treated vulnerability management as optional are now compelled to act, and that compliance pressure is a primary catalyst driving Echo’s market adoption.
“The market also understands that it’s not anymore a question. If you want to do it, you have to do it. That’s what regulation brings.” — Eilon Elhadad, Co-Founder and CEO, Echo
Q: How does Echo address vendor lock-in concerns given that customers depend on Echo-provided images?
Elhadad acknowledges the vendor dependency concern directly and responds with an analogy: when someone buys a laptop they trust Microsoft or Apple to patch the operating system, and the same logic should apply to cloud infrastructure dependencies. He then cites Echo’s credibility markers: the team pioneered software supply chain security at Argon before its acquisition by Aqua Security, the CTO built the CIS benchmark for software supply chain security, the company has raised 50 million dollars, and backing comes from recognized industry practitioners. He also notes that most cloud security vendors partner with Echo or use it as an underlying layer.
“When a big bank is pulling something from the internet, maybe a young kid built it, who knows. You need an enterprise and you need to choose a vendor to trust.” — Eilon Elhadad, Co-Founder and CEO, Echo
Q: What is Echo’s long-term vision beyond container and library patching?
Elhadad describes Echo’s long-term goal as building the foundational operating system layer for AI agents running in cloud environments, with the ambition that everything executing in the cloud should run on top of Echo. He frames this as the reason he returned to building a company after the Argon acquisition rather than retiring, citing the scale of the opportunity rather than financial necessity as the driver. The secure-by-design consumption model for containers and libraries is the first layer of what he envisions as a much broader cloud infrastructure trust platform.
“There is an opportunity to build the next big operating system for AI agents in the cloud era. Everything that’s running on top of the cloud should be based on Echo.” — Eilon Elhadad, Co-Founder and CEO, Echo
Resources and Documentation
- Echo, enterprise-vetted patched container images and open source libraries for vulnerability-free software consumption
- National Vulnerability Database (NVD), NIST’s official CVE tracking and scoring database
- Debian, upstream Linux distribution Echo is actively contributing patches to
***
👇 Click to Read Full Raw Transcript
Swapnil Bhartiya: Hi. This year Sapnath Bharti and we are here at Open Source Summit in Minneapolis and today we have with us Elon Ahad, CEO and co founder Echo. Ilan. It’s great to have you on the show.
Eilon Elhadad: Great to have you.
Swapnil Bhartiya: It’s my pleasure to talk to you. And you folks are building something really interesting especially when it comes to security and open source. And before we started interview you said this is your second company. So I would love to know a bit about your background and of course quickly about the previous company which will create a very good foundation for Echo.
Eilon Elhadad: Yeah, absolutely. So first of all like I think everything started like when I served in the Israeli Defense Forces. I basically was in the Israelis nsa. I built cybersecurity solutions for seven years and I led there the entire division. And immediately after that me and my second co founder Ilam, we built company that’s called Argon. We were pioneering software supply chain security. It wasn’t a big thing then back then. Today like everybody talk about it and we have a very big success and after here we’re acquired by Aqua that it’s also a cloud security player and that’s what lead us like to see many, many organizations deal with CVs and vulnerabilities and that’s the main reason we decided to build Echo.
Swapnil Bhartiya: Let’s also explain to folks when we talk about CVS and vulnerabilities, how different it is when we look at the larger security when it comes to software stack.
Eilon Elhadad: Yes. So basically CVs and vulnerabilities, that’s a known path for attacker to get into your systems in general and it can affect your entire stack. And the idea is that in this world of the AI world you are chasing after them because you can keep up. Like in the last year, 30,000 vulnerabilities figured out by the NVD and we are speaking that in a few years it will become millions in a year. So organization just can keep up with it.
Swapnil Bhartiya: So so you’re talking container image, right? When you talk especially or you’re talking about open source libraries, open source community. But that is a big, you know, the surface is too large because there are millions of open source projects and they all depend on those different libraries. And of course you know, you put them all together, create container images. So talk about the vastness of the risk that we’re talking about here.
Eilon Elhadad: So in general that’s like a very big problem to tackle. Yeah, and that’s the main reason we think like it’s can like we are seeing that it’s a big, it can be a big company like on these days because when you look about open source it’s the entire world. We specifically started with containers. We focus on containers and provide vulnerability free containers. But then our customers said like listen, the attack path doesn’t stop like you know in the container itself. It’s also expand for the open source libraries. So. So we start patching libraries and trying to prevent all those sort of supply chain attack. And yeah, if you want to build big company in these days, you need to deliver significant protection for your customers.
Swapnil Bhartiya: Right. And can you also explain, you know when we talk about container images, you know some the container itself is, you know you just take a lot of things and you know sometime the interesting thing is that especially after Docker containers folks will either you know get a container, of course they have private repository as well. They don’t even know what is in that container. They don’t even know where the links are heading to. So the more you make things easier, the more it can become challenging. So can you also talk about the challenges that we are seeing today when it comes to either container images or libraries Also nowadays security is no longer an afterthought, right? Especially the push with the CNCF and cloud native security is kind of. That’s why we have seen the whole DevSecOps security has kind of become a board level discussion. People organizations have CISOs now. So security is no longer someone else’s problem. Security is no longer an afterthought. So are you also seeing that there is a lot of awareness about it. So when folks walk to you here at the booth they are not what do you folks do? Rather they come and ask very hard questions that this is so where is security today?
Eilon Elhadad: Yeah so I think like today as you mentioned like DevSecOps is basically a position that should, you know create a bridge between developers to security. Today every you know respectful company like has a CISO and when people coming to the booth they are literally known to ask about how you can prevent axios like the how you can prevent the next of the supply chain attack. What do you do that you know like how you can keep up with all of those AI models that will find new vulnerabilities. So organization are highly educated and we also see a big trend that it’s not longer only like security issue. Engineers and developers are a big part of this challenge and they need to help to the organization to deal with the challenge.
Swapnil Bhartiya: Also nowadays a lot of awareness Also about S BOMs are there S BOMs are also coming out, but the focus is more on, I mean unless you know what’s in your pipeline, how will you secure it. It’s like the assembly line of a car and you need to know every component. So that is the essential part. But protecting is the next step. But a lot of our companies are already doing it and from my experience I feel that security is kind of sticky once you go with a company. It’s not like you don’t change vendors very often. So talk about how much things have improved. And also the whole software supply chain also in Europe, CRA is coming. It’s always there. Next year the implementation is happening around the globe. Organizations are especially AI people are becoming more and more sensitive. So what I’m trying to understand is because this, this area is so big and large to talk about, I would love to understand how Echo work supply chain, what’s in your code base, what’s in the container, images, what libraries, what dependencies that you rely on and then to protect it. And then also we’ll talk about how do you protect it when the customer protected or you protected. So let’s talk about one by one.
Eilon Elhadad: Okay, so one by one. First of all, like from a perspective of visibility to the organizations in a stage that they are very mature. They have S BOMs, they have many, there are many cloud security out there, most of them by the way partnering with Echo or use Echo behind the scenes. So from visibility perspective you have like every organization have a few scanners, you can see everything. But the hard part is to fix and to stop chasing after vulnerability. That’s the main challenge of them today. The second piece is regulation you mentioned CRA. CRA is kind of the equivalent for FedRAMP. So there is a big like catalyst of the market that like the big organization, if you want to work with them, you need to be certified and to be compliant by CRA and, and FedRamp. So like the market also understand that it’s not anymore a question. If you want to do it, you have to do it. That’s what regulation bring. And that’s the last piece to what you mentioned. Echo is dealing, I think from our perspective the most important part. So visibility is done, you need to fix it. How you fix it, you are not running and chasing after that. You building secure by design. That means that the approach is completely changed. It’s not shift left anymore, shift right. It’s like you are consuming from a trusted source and from enterprise source everything that you need. So today you are consuming containers from Echo that they patched by Echo and then you are moving and contain like consume open source libraries that vetted by Echo and also patched by Echo. And once you are doing those things in your visibility dashboard you will see that it’s clean.
Swapnil Bhartiya: So you are providing them with libraries. You become their source for libraries. So why don’t you work directly with the upstream project so that the libraries are fixed at their end versus downstream. My question is more or less to do with now they have to depend on your container images.
Eilon Elhadad: Correct.
Swapnil Bhartiya: And that is more or less like vendor locking issue.
Eilon Elhadad: It could be.
Swapnil Bhartiya: And it could also be they were worried about how long can we trust Echo, how long will the echo be around. So I’m also looking at sustainability.
Eilon Elhadad: Yeah. So I will divide my answer for two One, when today you are buying a laptop your trust your let’s say Microsoft or Apple. It’s depending what’s your flavor to patch and to make sure that it’s secure. Why it’s so different in the cloud when a big bank pulling something from the Internet maybe let’s say a young kid built it, who knows. So same approach here. You need an enterprise and you need to choose the vendor to trust. If you’re asking why to trust Echo Couple of answers. One we were pioneering software supply chain security. My CTO built the CIS venture for software supply chain security. We built maybe one of the biggest open sources around the world of container scanning. We raised $50 million. We have like many, you know backed by very strong people like industry leaders that building those solutions for the last 15 years. So I think it’s a great start. Then like to put it from the Internet honestly.
Swapnil Bhartiya: Right. But there are so many containers images. But I also want to understand how do you work with upstream projects and how do you work with customers? It’s more like let’s say a customer is depending on these 10 container images. So do you vet and verify those images or you provide the images on your own portal and they pick and choose what I’m trying to understand it because everybody’s use case is different.
Eilon Elhadad: Correct.
Swapnil Bhartiya: So how do you work with the vendors and how do you work with the upstream project?
Eilon Elhadad: So our approach is first of all to build as much as we can from source and to build from upstream. So when the customer is going to our portal and do something that called mirroring like pull all of the images to his organization he will have everything ahead. It could happen that in some cases it needs something. So when he needs something it just make a request via API like via all services and he will get it really quickly to his registry. So that’s from that perspective from the appstream maintainers, actually we are doing a lot, we are trying to help them. You can see we published a few custom patch that we contribute. So basically we have seen that there is no patch in the upstream for some vulnerabilities. So we patched by ourselves and of course immediately we contributed to the upstream. We recently had a very big announcement about a new CVE that discovered that we did with Sierra. So we also contribute that to the upstream. We are trying to be as collaborative as we can with the upstream and from the other sides to deliver to our customers as much as they need from containers respectively.
Swapnil Bhartiya: So how is Echo different from let’s say Chainguard or Minimus? There are a lot of players in this space.
Eilon Elhadad: Yeah. I think like the main thing that we look about ourselves compared to the competitors is that we know that the biggest gap for organization is the time to value how fast they can implement and consume your great technology. We are when we build Echo and we build like for example our container images, we are completely compatible and similar to the upstream. So the organization doesn’t need to do any change. So compared to the competitors we don’t need a long time of implementation. The organization just consume us and it will walk like a magic out of the box because we look exactly like the apps.
Swapnil Bhartiya: Can you talk about? I mean of course you may or may not be able to name, but if you can share some use cases or name some companies I’m more interested in use cases where they have used your images and that help them product. And also it also kind of reduces the toil on their own security teams. Especially in this age of AI era where a lot of code is generated by AI so it reduces there. So if you can share some use cases example that will improve.
Eilon Elhadad: Absolutely, I can share like a few one of them and they are great partner of ours. UiPath, it’s a public company. We also did a big case study with them. Like they had I would say hundreds of different type of container images. That means tens of thousands of microservices. It’s a company that exists like 20 years and I think like in less than a quarter they achieve like almost full deployment, full blown also in their customer environments. Why? Because their solution is basically shipped to their customers. So they shipped Echo bundled with your IPEV platform. Another big use case that we spoke about it a lot. It’s EDB basically they developing Postgres database, the CISO mentioned that they are basically saving more than 200 hours of engineering like every release. That’s a huge thing and it’s completely also integrated to the AI. So today AI agents use Echo in those organizations to build software.
Swapnil Bhartiya: When you folks patch all these images and make sure that the library is a safe secure. How much I mean as compared to the previous company we’re using because of AI and also the adoption of open sources drone, how much more work you have to do as compared to earlier?
Eilon Elhadad: So first of all we don’t believe that we could do it like five years ago in a gross margin justify a company. What I mean you can bring thousands of engineers but it’s not scalable. And then also the customers feel the price. Here we have amazing group of engineers that basically built AI agents that do the patching, doing the analysis, creating the images. So instead and there are of course like security engineer and people in the loop but the majority of the work is we are building AI agents that doing most of the work when we are sleeping.
Swapnil Bhartiya: Yep, I fully understand because we have also automated a lot of things not at that scale but I get bullied and AI has made life lot. I mean it’s always a double edged sword. Right. So it will, it can do some damage it but it can also bring a lot of benefit. Talk a bit about, you mentioned 50 million. You know, talk about the funding and stability of the and the growth of the company as well. Yes.
Eilon Elhadad: So the company you know just we founded 25, raised 50 million, have high of dozens of number of public companies, some of the biggest bank working with us and putting their trust in us. We are honestly trying to be humble. We are working hard every day but we are getting every day like you know, requests like to put money in the company. We have Runway for a few years and right now we are focusing on delivering value to our customers.
Swapnil Bhartiya: Previous company you sold, what is your vision and goal for this company?
Eilon Elhadad: You know many people ask what’s our motivation, why you are working like you don’t need to work anymore. And actually that’s true that we don’t need to work anymore. We are here because there is an opportunity to build the next big operating system for AI agents in the cloud era. It’s a huge mission that everything that’s running on top of the cloud should be based on Echo. And that’s the main reason we are here. We want to build something big.
Swapnil Bhartiya: And what is your engagement with open source communities? Because you are here at the open source summit as well. So how close do you work with open source?
Eilon Elhadad: So I mentioned a couple of points. One of them is that we are contributing patches to the open source community. If we see that the upstream and we did that many times you can see like in our website that we announced about it if we see that the maintainer can solve it and doesn’t have like you know the resource to solve it we will contribute the custom patch. Recently with another partner of ours we discovered CVE and we let the community know. Now we are working with the Debian community on a patch that we contribute and you will see as soon as the announcement. So we are trying as much as we can to contribute back to the community.
Swapnil Bhartiya: Awesome. Elon, thank you so much for joining me and sharing more information about the company because this is a problem area and then you for solid thank you for time and I’d love to talk to you again. Thank you.
Eilon Elhadad: Absolutely. Thank you.
