Decoding the world of cybersecurity

Aikido buys Root for open source patching

Belgian security company Aikido has acquired Root, adding technology for backported open source fixes as dependency risk moves deeper into developer workflows.

Aikido buys Root for open source patching
Summary
  • Aikido has acquired Root to add backported fixes for vulnerable open source components.
  • The company says Root’s technology can generate patches for package versions already running in production.
  • The acquisition reflects demand for remediation capability that reduces dependency risk without forcing disruptive upgrades.

Aikido Security has acquired Root, adding technology designed to help organisations apply security fixes to open source components without forcing immediate upgrades or migrations to replacement packages.

The Belgian cybersecurity company says Root’s technology can generate precise CVE patches for the package versions teams already run. Aikido says the capability will support Aikido Libraries and Aikido Images, providing drop-in replacement libraries and container images intended to patch vulnerable software without breaking changes.

The acquisition lands in a market where vulnerability management increasingly collides with software delivery reality. Enterprises may know a dependency is vulnerable, but upgrading to a later version can break applications, require testing across multiple services, introduce compatibility problems, or consume engineering capacity already committed elsewhere.

That operational friction leaves a long tail of known vulnerabilities in production. Open source dependencies are now embedded through direct imports, transitive packages, containers, build tooling, and developer workflows. Attackers can exploit known flaws faster than many organisations can test and deploy upgrades, especially where applications depend on older versions that cannot be moved quickly.

Aikido says Root uses an agent-native approach to generate verified patches at speed. It also says critical fixes for actively exploited vulnerabilities will continue to be contributed back to supported ecosystems rather than kept only inside its commercial product. That upstream contribution claim is important because open source security depends on maintainers, vendors, and downstream users sharing the remediation burden rather than fragmenting fixes into private channels.

Backported patching changes the evidence burden. Customers will need to understand how patches are generated, reviewed, tested, signed, distributed, and maintained. They will also need clarity on what happens when upstream projects diverge, when a patch introduces unexpected behaviour, or when responsibility is divided between the original maintainer, the patching vendor, and the consuming organisation.

European organisations preparing for the Cyber Resilience Act, NIS2, DORA, and more demanding supplier assurance are already under pressure to show disciplined vulnerability handling. Discovery alone is not enough where known weaknesses remain in production without remediation, mitigation, or documented risk acceptance.

The acquisition reflects a wider shift in application security from passive scanning towards integrated remediation. Developer teams want tools that reduce patch latency without creating more work than the vulnerability itself. Security teams want evidence that exposure has been reduced rather than moved into another backlog.

Aikido’s Root deal places remediation closer to the software supply chain. Its value will depend on whether patched components can be trusted, audited, and adopted without weakening provenance or creating opaque dependencies on vendor-generated fixes.

×