Aikido acquires Root to secure the supply chain

Today, Aikido acquires Root. 🚀

Open source powers almost every application in the world, and it's become the primary entry point for attackers. The software supply chain is under fire. (something something cat meme waking up to another supply chain attack)

Attackers are getting faster, too. AI is making it cheaper to exploit known vulnerabilities before most teams have a chance to patch them. Nearly a third of known vulnerabilities are exploited on or before the day they're disclosed. Meanwhile, our old friend Log4Shell, discovered in 2021, is still running in millions of production systems today.

But most teams are stuck choosing between three options that don't work:

Upgrade and risk breaking productionMigrate to a vendor's locked-down replacementKeep running vulnerable software

The reality is that upgrading isn't simple (shocker). A dependency update can break production, pull in dozens of unrelated changes, depend on versions that don't exist yet, or even introduce new vulnerabilities of its own. Even when everything goes right, upgrades consume weeks of engineering time.

The fact is: open source needs patching, and it needs it fast. #

Root solves this supply chain challenge with an agent-native approach. Instead of agents that just find vulnerabilities, they've built a factory-like system where agents generate precise CVE patches for the package versions teams actually run, at machine speed.

The result? Hundreds of verified CVE patches produced every day. #

That – wait for it – don’t introduce breaking changes.

"The industry is still stuck on triage, taking a giant list of CVEs and arguing over which ones to fix first. Or worse, telling teams to throw out their images and start over with someone else's," says Ian Riopel, co-founder and CEO of Root. "We built Root to skip the argument and just fix the problem in place. This is a choice between walled gardens and real support for open source. We chose open source."

Now we're bringing that capability into Aikido.

We're launching Aikido Libraries and Aikido Images: vulnerability-free, drop-in replacement libraries and container images that patch the software teams are already running, without migration, and most importantly, without breaking changes.

They're already in production and available to every Aikido customer (peep the image catalogue here)

When a new CVE is introduced, we’ll generate the patch that works for your system, on your exact version. Keeping you continuously protected.

And no, "private patches for open source" isn't the headline. #

Critical fixes for actively exploited vulnerabilities will continue to go back to the community, upstream across ecosystems, not locked behind a paywall. If we want to solve software supply chain security, the ecosystem has to become more secure, not just our customers.

"Open source maintainers are drowning in security work while trying to keep the projects the world depends on running," said Adrian Estrada, CTO of NodeSource, OpenJS Board Director and Node.js Core Contributor. "Aikido and Root are taking work off our plate by backporting fixes and contributing them upstream."

Welcome to Aikido, Root.

The mission? Get developers back to building.

xo Madeline, Aikido