Aikido Security Acquires Root for $70 Million to Automate Open-Source Patching
Aikido Security has acquired Root for $70 million, integrating automated vulnerability remediation into its application security platform to enhance open-source package hardening and reduce supply-chain risk.

Aikido Security has acquired Root, an open-source protection startup, for $70 million in a move designed to bolster its application security platform with automated vulnerability remediation capabilities. The acquisition aims to enable enterprises to deploy hardened open-source packages and container images, thereby significantly reducing software supply-chain risk.
Root, founded in 2020 as Slim.io and later rebranded, has focused on creating patched and validated software components. Aikido COO Roeland Delrue stated that the integration will allow customers to consume secure software without the burden of self-remediation. "We were already partnering up, already co-selling, already white labeling and then what's the next level in even more intense type of partnership? I guess it's an M&A," Delrue explained, highlighting the de-risked nature of the acquisition due to prior collaboration and shared customers.
Previously, Aikido's platform focused on discovering vulnerabilities and providing remediation guidance across source code, cloud environments, and containers. By embedding Root's technology, Aikido can now offer automated remediation, moving beyond mere recommendations. Root's CEO Ian Riopel emphasized that their technology is not just about individual fixes but a "software factory" capable of producing vulnerability fixes at AI speed, ensuring they are easily consumable and do not introduce breaking changes.
Riopel further elaborated that Root has developed an operational pipeline that can fix hundreds of vulnerabilities daily while adhering to strict quality controls and service-level agreements. He noted that building such an infrastructure internally would have demanded substantial engineering resources and operational maturity, making the acquisition a more efficient strategic decision. "The technology behind Root of patching hundreds of CVEs per day and vulnerabilities is very particular knowledge," Delrue added.
Through Aikido's broader reach, Root gains visibility into hundreds of thousands of users, software repositories, and open-source packages. This expanded dataset is crucial for Root's automated remediation platform, enabling it to identify emerging patterns, improve vulnerability prioritization, and generate higher-quality fixes more efficiently. "We're able to see and observe and understand what's happening across hundreds of thousands of users and hundreds of thousands of open-source packages and ultimately feed that into our machine to produce an even better outcome for everyone," Riopel said.
Since the acquisition's closure, Aikido has expanded access to Root's hardened packages across its customer base. They have also introduced a new container registry firewall designed to block vulnerable or malicious software before it reaches production environments. The companies are extending this protection beyond container images to provide trusted versions of open-source dependencies for popular ecosystems like Python, Java, and npm.
Delrue highlighted the increasing need for rapid remediation, stating, "Enterprises have a lot more code and therefore a lot more vulnerabilities, especially because they typically have a lot more legacy. It's all about speed nowadays, so you've got to get those things remediated as quickly as possible." Riopel pointed out that threat actors increasingly target open-source repositories and software package ecosystems, as compromising a single dependency can impact thousands of downstream applications. The growing use of AI-assisted software development further exacerbates this risk, making automated, reliable patching solutions like the integrated Aikido-Root platform increasingly critical.