How Root secures software at the speed of development

Software supply chain attacks are up 431% since 2021, and open source software is one of the biggest exposure paths. As of 2025, it’s found in nearly 90% of modern code bases and makes up 70 to 80% of the code. One compromised open source software package can result in multiple company breaches.

But patching remains a slow, manual process, with engineers spending time triaging vulnerabilities instead of fixing them.

“Everyone is still really focused on this concept of triage,” says Ian Riopel, cofounder and CEO of Root.

“Taking a long list of risks and vulnerabilities and figuring out ‘How can I manage this to a point where it is an achievable and workable amount of work for my team to attack and protect ourselves?’ And I think that it’s because we’re anchored in a more traditional mindset of, ‘This is how we’ve always worked.’”

Root is turning that mindset on its head, using AI agents to patch software supply chain vulnerabilities.

“Forget about the triage, and let’s just focus on getting you to a zero-risk or lower-risk state automatically.”

Getting to the root of the problem

Root began as Slim.AI.

Founded in January 2021 by John Amaral, formerly head of product at Cisco Cloud Security, Slim.AI was built on the popular open-source DockerSlim project. It gave developers tools to ship secure, production-ready containers in an automated, repeatable way, without specialized expertise.

Riopel — a U.S. Army veteran and former counterintelligence agent, who also held roles at Cisco, CloudLock, and Rapid7 — joined as Head of Partnerships and then Chief Customer Officer.

Insight Partners invested in early 2022, co-leading the company’s $31M Series A.

“We chose to partner with Insight because they bring a great network of advice and early adopters,” says Riopel. “Insight helps accelerate our discovery around going to market and testing the product.”

But the team soon realized the product had evolved into something potentially far more impactful: a platform capable of proactively securing software for production at scale.

Mission: Patch all of open-source

The realization hit when Riopel and his Root cofounders — Slim.AI colleague Amaral, joined by Benji Kalman and Mickey Gordon — were walking around Black Hat conference, and they noticed something.

Everyone was talking about software supply chain security, but “the whole industry was still trying to think about addressing the problem space as a more effective means of triage, so reducing the vulnerability noise,” says Riopel.

“We took a moment and thought, well, what if we took a step back. … What if we just didn’t have vulnerability to triage? Is that something we could actually do?”

With deep expertise in containers, security, and open source — and by applying new AI capabilities — the team knew they could. “We could fix a container and get it to zero vulnerabilities and remove technical debt that was now being shifted onto the developer organization, which is what the entire industry has been focused on,” says Riopel.

Thus began the mission: Patch all of open-source.

The rebrand to Root in early 2025 reflected this shift — from a developer optimization tool to a robust security solution that empowers organizations to meet rigorous security demands around open-source software in minutes. They were getting to the root of software risk, fixing vulnerabilities before they ever became a problem.

“The cybersecurity industry in general assumes that you have to start with a long list of work and a long list of vulnerabilities,” says Riopel. “What we’re doing at Root is challenging that traditional wisdom and saying, ‘Well, you don’t have to start with the list. We can just fix it all.’”

Securing upstream vulnerabilities with agents

Rather than relying on engineers to triage, Root’s AI agents scan container images, apply patches where available, and generate custom patches for outdated components that lack official fixes. This automation fixes 95% or more of vulnerabilities, meaning developers can just focus on building software.

The process is continuous. Root’s agents inspect the software supply chain for the most popular open-source projects, testing patches to ensure they don’t cause breaking changes. If a test harness doesn’t exist, the agents create one. Only once a patch passes does it get deployed back to the customer — and the whole process takes minutes.

Root secures everything upstream that developers are pulling down, so they don’t have to spend time chasing tickets.

“It’s a very different approach. But, we’ve proven that it can work, and we have customers who do it today,” says Riopel.

With its roots in open source, these customers span everyone from small, few-person shops to publicly listed companies. They even have containers deployed in NATO missions.

It’s an approach designed for the age of AI.

Riopel thinks the biggest risk to the industry is “not moving fast enough.” Threats that once moved at the pace of months and years now move in days and hours.

“Anyone can basically code at this point,” says Riopel. “My ten-year-old daughter successfully managed to get ChatGPT to create a quick script. And she’s never coded before in her life.”

This accessibility means new threats can be created, tested, iterated on, and perfected in hours. So AI-centric, AI-led solutions are “going to be table stakes going forward,” says Riopel, if enterprises want to match that speed.

Zero vulnerabilities in five years

AI is a new threat vector, but it’s also a new way to defend.

By automating patching at scale, removing the need for triage, and ensuring that containerized workloads, including complex AI/ML stacks, are continuously protected, Root is aiming for autonomous software supply chain resilience — infrastructure that defends itself at the speed of emerging threats.

There is an enormous opportunity for companies like Root and businesses that leverage some of these newer technologies to innovate and stay ahead, says Riopel. “There’s going to be a massive change in the way we think about … positioning ourselves … and protecting ourselves against that threat landscape over the next five years.”

“Anyone will be able to launch an Advanced Persistent Threat (APT), anyone will be able to launch sophisticated supply chain attacks … In order to react to that, enterprises will have to do the unnatural, which is move faster, accelerate, and embrace this change.”

What does success look like for Root? “Enabling any organization of any size to be able to operate with zero vulnerabilities in their software supply chain, and enabling any organization to operate with maturity levels that today are reserved for nation states or Fortune 100s,” says Riopel.

*Note: Insight Partners has invested in Root.