Aikido acquires Israel's Root to enhance open source using AI.
Belgian cybersecurity unicorn Aikido has reportedly acquired Root for $70 million, focusing on AI agents that address open-source vulnerabilities without disrupting the applications that rely on them, a capability that most security tools lack. Aikido Security, located in Ghent, became the fastest cybersecurity company in Europe to achieve a $1 billion valuation in January. The new acquisition, Root, is a startup based in Boston with an additional office in Tel Aviv. While Aikido hasn't publicly disclosed the acquisition price, Israeli outlet Calcalist reported it at $70 million. Aikido will integrate Root's Tel Aviv office and its approximately 25 employees.
The challenge of vulnerabilities in open source is familiar to every software company, yet few have effectively resolved it. Open source is pervasive and riddled with security issues. Nearly all applications depend on open-source packages, making them an attractive target for cyber criminals. The Log4Shell vulnerability found in Log4j in 2021 still affects millions of systems today.
Addressing these vulnerabilities is intended to be straightforward but often proves to be complex. When a dependency is identified as insecure, a development team faces tough choices. They can upgrade to a newer version, risking disruption of a functioning application or introducing new malware, or transition to a vendor's controlled alternative, merely replacing one dependency with another—a process that can take months.
Root offers a solution to bypass this dilemma. Its platform utilizes swarms of AI agents capable of researching, writing, testing, and deploying a patch within approximately 15 to 40 minutes, as noted by SiliconANGLE. In contrast, performing the same task manually usually takes weeks. The fix is delivered directly to the existing version in use, eliminating the need for a rebuild or migration. In over 80% of instances, Root makes no alterations to the code at all, with a human reviewer approving rather than creating the patch.
Aikido plans to incorporate this functionality into its platform under the name Aikido Libraries. One of its clients, the data security company BigID, was able to resolve over 1,000 vulnerabilities in just two weeks, including more than 300 classified as high or critical, distributed across six production images, all while maintaining its current stack.
The timing is strategic, as AI now provides attackers with quicker and more cost-effective methods to identify and exploit vulnerabilities. Hackers are targeting nearly a third of known flaws on the day they are discovered or earlier. Root’s rapid patching capability offers defenders the speed necessary to keep pace with attackers.
This threat is evident throughout the software supply chain, from malware hidden in popular packages to breaches exposing sensitive AI training data. It includes the security shortcomings associated with fast-paced development environments. Aikido believes that combating agents with agents is crucial for maintaining security.
In conjunction with the acquisition, Aikido announced an uncommon initiative for a commercial security firm. It will backport its solutions for critical, actively targeted open-source vulnerabilities to benefit the broader community, planning to contribute these fixes back to the original projects rather than keeping them behind a paywall. “This is a choice between walled gardens and genuine support for open source. We chose open source,” stated Ian Riopel, Root’s co-founder and CEO. Adrian Estrada, chief technology officer of NodeSource and an OpenJS board member, supported the initiative, noting that maintainers are overwhelmed with security tasks, and the backports will alleviate some of their burden.
Root itself has a unique background. Originally starting as Slim.AI, the creators behind the popular open-source container tool Slim Toolkit, it later shifted focus from reducing container sizes to enhancing their security. Root has secured approximately $37.6 million in funding and was recognized by Gartner this year as an emerging vendor in automated vulnerability remediation.
For Aikido, the acquisition of Root concludes a busy year of strategic purchases. In 2025, it acquired the AI code review firm Trag as well as the autonomous penetration testing companies Allseek and Haicker. A branded patch engine is a logical addition for a company providing a comprehensive platform for securing code from development to deployment.
This deal accentuates the growing trend of European companies taking the lead in investing in cybersecurity talent. Aikido now supports over 100,000 teams, including notable clients like Revolut, SoundCloud, and the Premier League. With the addition of Root, Aikido is betting that the optimal strategy in open-source security is not to debate which vulnerabilities to address first, but to simply fix them as they are identified.
Other articles
Aikido acquires Israel's Root to enhance open source using AI.
Belgian cyber unicorn Aikido has purchased the Israeli startup Root, which utilizes AI agents to fix open-source vulnerabilities within minutes without necessitating risky upgrades.
