As enterprises accelerate the deployment of LLMs and agentic workflows, they are hitting a critical infrastructure bottleneck: the container base images powering these applications are riddled with inherited security debt. Echo, an Israeli startup, is announcing a $35 million in Series A funding today (bringing its to-date total to $50 million in funding) to fix this by fundamentally reimagining how cloud infrastructure is built.The round was led by N47, with participation from Notable Capital, Hyperwise Ventures, and SentinelOne. But the real story isn't the capital—it's the company’s ambitious goal to replace the chaotic open-source supply chain with a managed, "secure-by-design" operating system.The Hidden Operating System of the CloudTo understand why Echo matters, you first have to understand the invisible foundation of the modern internet: container base images.Think of a "container" like a shipping box for software. It holds the application code (what the developers write) and everything that code needs to run (the "base image"). For a non-technical audience, the best way to understand a base image is to compare it to a brand-new laptop. When you buy a computer, it comes with an Operating System (OS) like Windows or macOS pre-installed to handle the basics—talking to the hard drive, connecting to Wi-Fi, and running programs. Without it, the computer is useless.In the cloud, the base image is that Operating System. Whether a company like Netflix or Uber is building a simple web app or a complex network of autonomous AI agents, they rely on these pre-built layers (like Alpine, Python, or Node.js) to define the underlying runtimes and dependencies.Here is where the risk begins. Unlike Windows or macOS, which are maintained by tech giants, most base images are open-source and created by communities of volunteers. Because they are designed to be useful to everyone, they are often packed with "bloat"—hundreds of extra tools and settings that most companies don't actually need.Eylam Milner, Echo’s CTO, uses a stark analogy to explain why this is dangerous: "Taking software just from the open source world, it's like taking a computer found on the sidewalk and plugging it into your [network]."Traditionally, companies try to fix this by downloading the image, scanning it for bugs, and attempting to "patch" the holes. But it is a losing battle. Echo’s research indicates that official Docker images often contain over 1,000 known vulnerabilities (CVEs) the moment they are downloaded. For enterprise security teams, this creates an impossible game of "whac-a-mole," inheriting infrastructure debt before their engineers write a single line of code.The "Enterprise Linux" Moment for AIFor Eilon Elhadad, Echo’s co-founder and CEO, the industry is repeating history. "Exactly what's happened in the past... everybody run with Linux, and then they move to Enterprise Linux," Elhadad told VentureBeat. Just as Red Hat professionalized open-source Linux for the corporate world, Echo aims to be the "enterprise AI native OS"—a hardened, curated foundation for the AI era."We see ourselves in the AI native era, the foundation of everything," says Elhadad.The Tech: A "Software Compilation Factory"Echo is not a scanning tool. It does not look for vulnerabilities after the fact. Instead, it operates as a "software compilation factory" that rebuilds images from scratch.According to Milner, Echo’s approach to eliminating vulnerabilities relies on a rigorous, two-step engineering process for every workload:Compilation from Source: Echo starts with an empty canvas. It does not patch existing bloated images; it compiles binaries and libraries directly from source code. This ensures that only essential components are included, drastically reducing the attack surface.Hardening & Provenance (SLSA Level 3): The resulting images are hardened with aggressive security configurations to make exploitation difficult. Crucially, the build pipeline adheres to SLSA Level 3 standards (Supply-chain Levels for Software Artifacts), ensuring that every artifact is signed, tested, and verifiable.The result is a "drop-in replacement." A developer simply changes one line in their Dockerfile to point to Echo’s registry. The application runs identically, but the underlying OS layer is mathematically cleaner and free of known CVEs.AI Defending Against AIThe need for this level of hygiene is being driven by the "AI vs. AI" security arms race. Bad actors are increasingly using AI to compress exploit windows from weeks down to days. Simultaneously, "coding agents"—AI tools that autonomously write software—are becoming the number one generators of code, often statistically selecting outdated or vulnerable libraries from open source.To counter this, Echo has built a proprietary infrastructure of AI agents that autonomously manage vulnerability research.Continuous Monitoring: Echo’s agents monitor the 4,000+ new CVEs added to the National Vulnerability Database (NVD) monthly.Unstructured Research: Beyond official databases, these agents scour unstructured sources like GitHub comments and developer forums to identify patches before they are widely published.Self-Healing: When a vulnerability is confirmed, the agents identify affected images, apply the fix, run compatibility tests, and generate a pull request for human review.This automation allows Echo’s engineering team to maintain over 600 secure images—a scale that would traditionally require hundreds of security researchers.Why It Matters to the CISOFor technical decision-makers, Echo represents a shift from "mean time to remediation" to "zero vulnerabilities by default."Dan Garcia, CISO of EDB, noted in a press release that the platform "saves at least 235 developer hours per release" by eliminating the need for engineers to investigate false positives or patch base images manually.Echo is already securing production workloads for major enterprises like UiPath, EDB, and Varonis. As enterprises move from containers to agentic workflows, the ability to trust the underlying infrastructure—without managing it—may be the defining characteristic of the next generation of DevSecOps.Pricing for Echo's solution is not publicly listed, but the company says on its website it prices "based on image consumption, to ensure it scales with how you actually build and ship software."