AI & TechArtificial IntelligenceCybersecurityMENA Tech SceneNewswireTechnology

Aikido acquires Israel’s Root to apply AI to open source patching

▼ Summary

– Belgian cybersecurity unicorn Aikido Security acquired Israeli startup Root for an estimated $70–100 million, absorbing all 25 staff and opening a development center in Israel.
– Root’s AI agents patch open-source vulnerabilities in 15–40 minutes without breaking the application, avoiding the trade-offs of upgrades or migrations.
– Aikido’s new feature, Aikido Libraries, uses Root’s technology; customer BigID cleared over 1,000 vulnerabilities in two weeks, with 300+ high or critical, without changing its stack.
– AI is accelerating attacker speed, hitting nearly a third of known vulnerabilities on or before the day they appear, making agentic defense essential.
– Aikido will backport fixes for critical open-source flaws to the community upstream, rather than keeping them proprietary.

A Belgian cybersecurity unicorn has quietly solved one of software’s most stubborn headaches. It now has an AI that patches open-source vulnerabilities without breaking the applications that depend on them, a feat most security tools cannot pull off.

Aikido Security, headquartered in Ghent, became Europe’s fastest cybersecurity company to hit a $1bn valuation in January. The firm has now acquired Root, an Israeli startup. Aikido did not reveal the purchase price, though Israeli outlet Calcalist pegged it between $70mn and $100mn. As part of the deal, Aikido will open a development center in Israel and absorb all of Root’s roughly 25 employees, most based in Tel Aviv.

The acquisition targets a problem every software company knows intimately, yet few have truly solved. Open-source code is everywhere, and it is riddled with vulnerabilities. Nearly every application leans on open-source packages, making them a favorite entry point for attackers. The infamous Log4Shell bug, discovered in Log4j back in 2021, still runs in millions of systems today.

Fixing these flaws sounds simple but rarely is. When a dependency turns out to be vulnerable, a team faces two bad options. Upgrade to a newer version, and you risk breaking a working app or pulling in fresh malware. Migrate to a vendor’s locked-down replacement, and you have swapped one dependency for another, often requiring months of work.

Root’s pitch skips that trade-off entirely. Its platform deploys swarms of AI agents that research, write, test, and ship a patch in roughly 15 to 40 minutes, according to SiliconANGLE. By hand, the same job can take weeks. The fix goes straight to the exact version a company already runs, so there is no rebuild and no migration. In more than four out of five cases, Root changes no code at all. A human reviewer signs off rather than writes the patch.

Aikido is folding this into its platform as a feature called Aikido Libraries. One customer, the data-security firm BigID, cleared more than 1,000 vulnerabilities in two weeks. Over 300 of those counted as high or critical, spread across six production images, and the company kept its existing stack intact.

The timing is no accident. AI is giving attackers faster and cheaper ways to find and exploit flaws. Attackers now hit almost a third of known vulnerabilities on or before the day they surface. The agentic approach that lets Root patch in minutes gives defenders the speed they now need. The people breaking in already have it.

That threat is already visible across the software supply chain. It runs from malware smuggled into popular packages to breaches that leak AI training secrets. It reaches the security failures piling up around fast-moving vibe-coding platforms. Aikido’s bet is that fighting agents with agents is the only way to keep up.

Alongside the deal, Aikido announced something unusual for a commercial security firm. It will backport its fixes for critical, actively exploited open-source vulnerabilities to the wider community. It plans to contribute them upstream to the projects that maintain the code, rather than keep them behind a paywall.

“This is a choice between walled gardens and real support for open source. We chose open source,” said Ian Riopel, Root’s co-founder and chief executive. Adrian Estrada, chief technology officer of NodeSource and an OpenJS board director, welcomed the move. He said maintainers are “drowning in security work,” and that the backports take work off their plates.

Root has an unusual history of its own. It began as Slim. AI, the company behind the widely used open-source container tool Slim Toolkit. It later pivoted from shrinking container images to securing them. It had raised about $37.6mn, and Gartner this year named it an emerging vendor in automated vulnerability remediation.

For Aikido, Root caps a busy year of buying. In 2025 it snapped up the AI code-review startup Trag and the autonomous penetration-testing firms Allseek and Haicker. A branded patch engine is a natural next piece for a company selling a single platform to secure code from writing to running.

The deal also underlines how much of the world’s cybersecurity talent still sits in Israel, and how European buyers are increasingly the ones writing the cheques. Aikido now serves more than 100,000 teams, including Revolut, SoundCloud, and the Premier League. With Root, it is betting that the winning move in open-source security is not to argue about which holes to fix first, but simply to fix them where they are.

(Source: The Next Web)

Topics

cybersecurity acquisition 95% open source vulnerabilities 93% ai agent patching 91% vulnerability remediation 88% ai in cybersecurity 87% software supply chain 85% open source backporting 83% log4j log4shell 82% patching without migration 81% european tech unicorns 80%