2 Sources
[1]
Aikido buys Israel's Root to patch open source with AI
Belgian cyber unicorn Aikido has acquired Israeli startup Root, reportedly for $70mn to $100mn, for AI agents that patch open-source vulnerabilities in minutes without forcing risky upgrades. It is also opening a development centre in Israel. A Belgian cybersecurity unicorn has bought an Israeli startup with an unusual trick. Its AI agents fix an open-source flaw without breaking the app that depends on it, something most security tools cannot do. Aikido Security, based in Ghent, became Europe's fastest cybersecurity company to reach a $1bn valuation in January. It has now acquired Root. Aikido did not disclose a price. Israeli outlet Calcalist reported a figure of between $70mn and $100mn. Aikido will also open a development centre in Israel. It plans to absorb all of Root's roughly 25 staff, most of them in Tel Aviv. The target is a problem every software company knows and few have solved. Open source is everywhere, and it is full of holes. Almost every application leans on open-source packages, which makes them a favourite way in for attackers. Log4Shell, the critical bug found in Log4j back in 2021, still runs in millions of systems today. Patching without the pain Fixing these flaws is meant to be simple and rarely is. When a dependency turns out to be vulnerable, a team's choices are both bad. Upgrade to a newer version, and you risk breaking a working app or pulling in fresh malware. Migrate to a vendor's locked-down replacement, and you have swapped one dependency for another. That often takes months of work. Root's pitch is to skip that trade-off. Its platform runs swarms of AI agents that research, write, test, and ship a patch in roughly 15 to 40 minutes, according to SiliconANGLE. By hand, the same job can take weeks. The fix goes straight to the exact version a company already runs, so there is no rebuild and no migration. In more than four out of five cases, Root changes no code at all. A human reviewer signs off rather than writes the patch. Aikido is folding this into its platform as a feature called Aikido Libraries. One customer, the data-security firm BigID, cleared more than 1,000 vulnerabilities in two weeks. Over 300 of those counted as high or critical, spread across six production images, and it kept its existing stack. Why AI cuts both ways The timing is not an accident. AI is giving attackers faster and cheaper ways to find and exploit flaws. Attackers now hit almost a third of known vulnerabilities on or before the day they surface. The agentic approach that lets Root patch in minutes gives defenders the speed they now need. The people breaking in already have it. That threat is already visible across the software supply chain. It runs from malware smuggled into popular packages to breaches that leak AI training secrets. It reaches the security failures piling up around fast-moving vibe-coding platforms. Aikido's bet is that fighting agents with agents is the only way to keep up. A rare open-source giveback Alongside the deal, Aikido announced something unusual for a commercial security firm. It will backport its fixes for critical, actively exploited open-source vulnerabilities to the wider community. It plans to contribute them upstream to the projects that maintain the code, rather than keep them behind a paywall. "This is a choice between walled gardens and real support for open source. We chose open source," said Ian Riopel, Root's co-founder and chief executive. Adrian Estrada, chief technology officer of NodeSource and an OpenJS board director, welcomed the move. He said maintainers are "drowning in security work," and that the backports take work off their plates. Root has an unusual history of its own. It began as Slim.AI, the company behind the widely used open-source container tool Slim Toolkit. It later pivoted from shrinking container images to securing them. It had raised about $37.6mn, and Gartner this year named it an emerging vendor in automated vulnerability remediation. Aikido's shopping spree For Aikido, Root caps a busy year of buying. In 2025 it snapped up the AI code-review startup Trag and the autonomous penetration-testing firms Allseek and Haicker. A branded patch engine is a natural next piece for a company selling a single platform to secure code from writing to running. The deal also underlines how much of the world's cybersecurity talent still sits in Israel, and how European buyers are increasingly the ones writing the cheques. Aikido now serves more than 100,000 teams, including Revolut, SoundCloud, and the Premier League. With Root, it is betting that the winning move in open-source security is not to argue about which holes to fix first, but simply to fix them where they are.
[2]
Aikido acquires Root to patch open-source software without forced upgrades
Aikido acquires Root to patch open-source software without forced upgrades Belgian cybersecurity company Aikido Security NV today announced that it has acquired Root.io Inc., a company that offers patching for vulnerable open-source software at the exact versions organizations are already running. Founded in 2020 as Slim.AI Inc., the startup offered a popular open-source container tool called Slim Toolkit. It rebranded last year as its technology shifted from shrinking container images to securing them. Root sells what it calls agentic vulnerability remediation. When a new vulnerability is published, swarms of specialized AI agents research, write, test and ship a patch in roughly 15 to 40 minutes, against the weeks the process can take by hand. The fixes go straight to the container images and software dependencies a company is already running, at the versions it has pinned, so there's no rebuild and no migration. In more than four out of five cases, Root makes no code changes at all, with a human reviewer signing off rather than writing the patch. The company says that approach let data security firm BigID Inc. clear more than 1,000 vulnerabilities, in excess of 300 of them rated high or critical, across six production images in two weeks without abandoning its Debian and Ubuntu-based stacks. For Aikido, the appeal is that the technology sidesteps the choice most teams face when a dependency turns up vulnerable. Upgrading to a newer version of a package can break a working application or pull in fresh malware, while migrating to a vendor's locked-down replacement swaps one dependency for another. Root's patches, which Aikido is folding into its platform as a feature called Aikido Libraries, fix the specific flaw without the breaking changes a full version bump tends to bring and the company said the technology generates hundreds of verified patches a day. "Open source needs patching and it needs it fast. Today you have two options and neither works for most companies: upgrade and likely break your application, or migrate to a vendor's locked-down replacement," said co-founder and Chief Executive Willem Delbare. "With Root, we fix what teams are actually running, generating hundreds of verified patches a day: no upgrades, no migrations, no breaking changes. That's how supply chain security gets solved for everyone, not just the 1%." Coming into its acquisition, Root had raised $37.6 million, including a $31 million Series A in 2022 co-led by Insight Partners and StepStone Group. Gartner Inc. this year named Root an emerging vendor in the automated vulnerability remediation category. Aikido said that alongside the acquisition, it will start back-porting fixes for critical, actively exploited open-source vulnerabilities to the wider community across the ecosystems it supports, contributing those patches upstream to the projects that maintain the code rather than keeping them locked behind a paywall. The deal caps a busy run of acquisitions for Aikido, which over the course of 2025 snapped up the AI code-review startup Trag along with the autonomous penetration testing companies Allseek BV and Haicker SA. In January, the company raised $60 million in a Series B round that valued it at $1 billion and made it the fastest European cybersecurity company ever to reach unicorn status. Aikido says its platform is now used by more than 100,000 teams, among them the Premier League, Revolut Ltd. and SoundCloud.
Share
Copy Link
Belgian cybersecurity unicorn Aikido Security has acquired Israeli startup Root for a reported $70mn to $100mn, gaining AI agents that patch open-source vulnerabilities in 15 to 40 minutes without forcing risky upgrades. The deal addresses a critical problem: fixing security flaws in open-source dependencies without breaking existing applications or creating vendor lock-in.
Belgian cybersecurity unicorn Aikido Security NV has acquired Root.io Inc., an Israeli startup specializing in AI-driven patching of open-source vulnerabilities, for a reported $70mn to $100mn according to Israeli outlet Calcalist
1
. The deal brings AI agents that autonomously patch vulnerabilities in roughly 15 to 40 minutes, a process that typically takes weeks when done manually2
. Aikido, which became Europe's fastest cybersecurity company to reach a $1bn valuation in January, plans to absorb all of Root's roughly 25 staff and open a development centre in Israel1
.
Source: SiliconANGLE
The acquisition targets a persistent challenge in software security: how to patch open-source software without breaking production systems. When a dependency turns vulnerable, teams face two problematic choices. Upgrade to a newer version and risk breaking a working application or pulling in fresh malware, or migrate to a vendor's locked-down replacement and accept months of work plus vendor lock-in
1
. Root's platform bypasses this trade-off entirely by deploying swarms of specialized AI agents that research, write, test, and ship patches directly to the exact versions companies already run, eliminating the need for forced upgrades or migrations2
.Root's approach to patching open-source vulnerabilities delivers measurable results. In more than four out of five cases, the system makes no code changes at all, with human reviewers signing off rather than writing patches themselves
2
. Data security firm BigID cleared more than 1,000 vulnerabilities in two weeks using Root's technology, with over 300 rated high or critical across six production images, all while maintaining its existing Debian and Ubuntu-based stacks1
. Aikido is integrating this capability into its platform as Aikido Libraries, which the company says generates hundreds of verified patches daily2
.The timing reflects an escalating threat landscape where AI cuts both ways. Attackers now hit almost a third of known vulnerabilities on or before the day they surface, leveraging AI for faster exploitation
1
. The agentic approach that enables Root's rapid patching gives defenders the speed they need to counter attackers who already possess similar capabilities. This arms race extends across the entire software supply chain, from malware smuggled into popular packages to breaches exposing AI training secrets.Related Stories
Alongside the acquisition, Aikido announced it will backport critical fixes for actively exploited open-source vulnerabilities to the wider community, contributing patches upstream to maintainer projects rather than keeping them behind a paywall
2
. "This is a choice between walled gardens and real support for open source. We chose open source," said Ian Riopel, Root's co-founder and chief executive1
. Adrian Estrada, chief technology officer of NodeSource and an OpenJS board director, welcomed the move, noting that maintainers are "drowning in security work" and that the backports relieve their burden1
.Root caps an aggressive acquisition strategy for Aikido in 2025, following purchases of AI code-review startup Trag and autonomous penetration testing firms Allseek BV and Haicker SA
2
. The AI-driven platform for patching represents a natural addition to Aikido's vision of securing code from development through production. Founded in 2020 as Slim.AI Inc., Root originally offered the popular open-source container tool Slim Toolkit before pivoting from shrinking container images to securing them and rebranding last year2
. Root had raised $37.6mn, including a $31mn Series A in 2022, and Gartner this year named it an emerging vendor in automated vulnerability remediation1
. Aikido now serves more than 100,000 teams, including Revolut, SoundCloud, and the Premier League1
.Summarized by
Navi
[1]
27 Jun 2026•Technology

28 May 2026•Technology

04 Sept 2025•Technology

1
Policy and Regulation

2
Policy and Regulation

3
Policy and Regulation
