Aikido buys Root to auto-patch open-source CVEs in minutes

Belgian cybersecurity unicorn Aikido Security is buying Root.io, the agentic vulnerability-remediation startup that began life in 2020 as Slim.AI before rebranding last year, SiliconAngle reported. The interesting part of the announcement isn't the deal mechanics, it's the workflow it claims for the most boring, most universal problem in application security: known vulnerabilities in open-source dependencies you can't easily upgrade away from.

The pitch, per the reporting, is that swarms of specialized AI agents "research, write, test and ship a patch in roughly 15 to 40 minutes," and that "in more than four out of five cases, Root makes no code changes at all," instead back-porting a fix to the version the team is already running. Inside Aikido that capability will ship as a feature called Aikido Libraries. The company points at a BigID engagement where the system reportedly cleared more than 1,000 vulnerabilities, in excess of 300 of them rated high or critical, across six production images in two weeks.

Why a practitioner should care: most remediation pain isn't writing a patch, it's the cascade of version bumps the patch implies. Upgrade the library, the API contract shifts, three internal services break, the security ticket sits in a backlog for a quarter. A workflow that patches the version you actually run, rather than asking you to migrate, is plausibly the unsexy but high-leverage piece of AppSec.

The honest caveat is that the load-bearing claims here, the per-patch time window, the four-of-five hit rate, the BigID numbers, are the company's. Take the specifics as reported, not settled. What the reporting doesn't give you is a deal price, a close date, an outside audit of patch quality, or any detail on how the agent decides when not to attempt a back-port. Auto-generated patches that look fine but quietly diverge from upstream are the kind of thing that bites teams six months later in a re-scan.

For Aikido, which hit unicorn status in January 2026 on a $60 million Series B at a $1 billion valuation and now sits on a customer base above 100,000 teams including the Premier League, Revolut and SoundCloud, the bet is whether autonomous back-ports can be safe enough to merge without a human pull request. If they are, the slow grind of CVE work changes for everyone downstream. If they aren't, this becomes another agentic claim that lives mostly on slide decks.