Aikido Security has announced the acquisition of Root, combining capabilities to strengthen open source security and address the growing threat of software supply chain attacks. The move brings together both companies' focus on enabling developers and autonomous systems to securely build with open source while improving vulnerability remediation at scale.
Open source software remains foundational to modern applications, but it has also become a primary attack surface for cybercriminals. Organizations now face two escalating risks: malicious code hidden in open source dependencies and long-standing vulnerabilities that remain unpatched in production environments.
High-profile incidents such as Log4Shell continue to impact systems globally years after disclosure, while emerging data shows that nearly one-third of known vulnerabilities are exploited on or before public disclosure. The rise of AI-driven attack methods has further accelerated the speed and scale of exploitation.
Traditional vulnerability management often forces organizations into difficult trade-offs: upgrading dependencies that may break applications or migrating to alternative solutions that introduce new risks and costs.
Aikido Security aims to eliminate this trade-off by integrating Root’s technology into its platform, enabling automated patching of vulnerabilities without requiring version upgrades or disruptive changes. The approach focuses on applying verified fixes directly to existing software environments, improving security without affecting application stability.
Through Root’s technology, now integrated into Aikido Libraries, organizations can apply security patches directly to vulnerable dependencies while maintaining application compatibility.
The system generates validated fixes across container images and application dependencies, reducing remediation time from weeks to minutes. This approach is designed to help security teams handle the growing volume of vulnerabilities more efficiently while minimizing operational disruption.
As part of the acquisition, Aikido is introducing backported fixes for critical and actively exploited vulnerabilities across open source ecosystems. These fixes are designed to be contributed back to upstream projects, ensuring that improvements benefit the broader developer community rather than remaining behind commercial boundaries.
This initiative aims to reduce the burden on open source maintainers while improving the overall security posture of widely used software components.
Willem Delbare, Co-founder and CEO, Aikido Security
"Open source needs patching, and it needs it fast. Today you have two options, and neither works for most companies: upgrade and likely break your application, or migrate to a vendor's locked-down replacement. With Root, we fix what teams are actually running, generating hundreds of verified patches a day: no upgrades, no migrations, no breaking changes. That's how supply chain security gets solved for everyone, not just the 1%."
Adrian Estrada, CTO of NodeSource, OpenJS Board Director and Node.js Core Contributor
"Open source maintainers are drowning in security work while trying to keep the projects the world depends on running. Aikido and Root are taking work off our plate by backporting fixes and contributing them upstream."
Ian Riopel, Co-founder and CEO, Root
"The industry is still stuck on triage, taking a giant list of CVEs and arguing over which ones to fix first. Or worse, telling teams to throw out their images and start over with someone else's. We built Root to skip the argument and just fix the problem in place. This is a choice between walled gardens and real support for open source. We chose open source."
The acquisition of Root follows a series of strategic moves by Aikido Security, including prior acquisitions in AI code review and autonomous penetration testing. The company continues to expand its unified security platform across code, infrastructure, and runtime environments.
Aikido Security recently reached unicorn status following a $60 million Series B round, positioning itself as one of Europe’s fastest-growing cybersecurity companies.
Aikido Security is building self-securing software for modern development teams. Aikido's unified security platform secures everything developers build, ship, and run from code to runtime, helping teams to reduce risk without slowing down development. Aikido is the fastest-ever European cybersecurity company to reach unicorn status and is trusted by over 100,000 teams, with a global customer base including the Premier League, MontBlanc, n8n, Revolut, SoundCloud, and Niantic.
Root keeps open source secure at the versions teams already run. Root's agentic platform researches, patches, tests, and delivers validated fixes across container images and application dependencies in minutes, not weeks. Root was founded by Ian Riopel, John Amaral, Benji Kalman, and Mickey Gordon, and is backed by Insight Partners, Decibel Ventures, Boldstart Ventures, Lama Partners (formerly FXP Ventures), and TechAviv. Root is trusted by security-conscious organizations, including SiXWorks (an IBM company), DeleteMe, and Relay Networks.