Aikido Security has bought Root for a reported $70 million, and the logic of the deal is simpler than the roll-up around it suggests: the industry has spent a decade telling teams to triage a backlog of CVEs and then choose between two bad fixes — upgrade and risk breaking production, or migrate to a vendor’s locked-down replacement. Root’s pitch is that both options are unnecessary. Aikido is paying to make that pitch its own.
What Aikido Actually Bought
Root sells agentic vulnerability remediation. When a new flaw is published, a swarm of specialized AI agents researches, writes, tests, and ships a patch in roughly fifteen to forty minutes, against the weeks the same work takes by hand. The fix lands on the container image or dependency a company is already running, at the exact version it has pinned, so there is no rebuild and no migration. In more than four out of five cases the system changes no application code at all, with a human reviewer signing off rather than authoring the patch. That is the asset Aikido wanted: not a point tool, but a pipeline that produces hundreds of validated fixes a day at machine speed.
The technology arrives inside the platform as two products, Aikido Libraries and Aikido Images — drop-in patched dependencies and hardened container images meant to be consumed rather than remediated. Alongside them, Aikido is committing to backport fixes for critical, actively exploited open-source vulnerabilities — the short list on CISA’s Known Exploited Vulnerabilities catalog — upstream to the community for free, rather than gating them behind the paywall.
The Fourth Deal in a Year
This is Aikido’s fourth acquisition in just over a year, following the AI code-review startup Trag and the autonomous penetration-testing firms Allseek and Haicker in 2025. The through-line is consolidation of the find-and-fix loop into one platform. Aikido has historically been strong at discovery — scanning source, cloud, and containers — while handing customers remediation guidance rather than the remediation itself. Root closes that gap by converting recommendations into merge-ready patches, and in return gains the operational data and customer environments that sharpen its models. The Belgian company reached unicorn status in January on a $60 million Series B at a $1 billion valuation, and it is now spending that capital to buy capability it would otherwise have to build.
Why In-Place Patching Is the Right Bet
The market case rests on a hard number: nearly a third of known vulnerabilities are now exploited on or before the day they are disclosed, and Log4Shell still runs in millions of production systems more than four years after Log4j. The delay is not ignorance but friction — upgrading a dependency can pull in unrelated changes, break working code, or introduce fresh vulnerabilities of its own, so teams defer. Remediation that removes the upgrade removes the excuse to wait. Root founder Ian Riopel, a former Cisco security specialist, frames the industry’s status quo as an argument over which CVEs to fix first; the product’s premise is that the argument itself is the failure. Whether the free KEV backporting is genuine ecosystem investment or durable top-of-funnel marketing, it does both jobs at once, and in supply-chain security those are hard to separate.
The Tel Aviv Footnote That Isn’t Minor
Root began as Slim.AI, the company behind the open-source Slim Toolkit, and carries roughly $37.6 million in prior funding from Insight Partners, Decibel, Boldstart, and TechAviv. It also carries a Tel Aviv development center of about fifteen engineers, and Aikido is opening an Israeli R&D site to absorb Root’s team and expand locally. For a Belgian acquirer building a global AI-security platform, that is a deliberate bet on where the remediation talent sits. The deal’s real signal is what it says about the shape of the category: vulnerability management is collapsing into vulnerability remediation, the gap between finding a flaw and shipping its fix is becoming the entire product, and the vendors who own that gap will own the market. Aikido just paid to own it.
Leave a Reply