Root Platform

Root Platform is a container and open-source dependency security product built on a CVE-first remediation model: instead of rebuilding software from source or forcing version upgrades, it patches the exact versions a team already runs. Its core mechanism, Agentic Vulnerability Remediation (AVR), uses a fleet of specialized AI agents triggered by a Common Vulnerabilities and Exposures (CVE) publication to research, build, test, and ship a production-ready fix, typically in 15 to 40 minutes, with no breaking changes to the running stack.

The platform delivers fixes through two catalogs and a standalone patch stream. Root Image Catalog provides 2,000+ continuously remediated base images across Python, Node, Java, Go, and 40 more ecosystems as drop-in replacements pulled from cr.root.io. Root Library Catalog backports the smallest safe fix to pinned application dependencies, reaching transitive dependencies up to five layers deep. Root Patches ship reproducible artifacts for legacy systems that cannot be upgraded. Every artifact carries a Software Bill of Materials (SBOM), a Vulnerability Exploitability eXchange (VEX) statement, and Supply-chain Levels for Software Artifacts (SLSA) build provenance. Named customers include DeleteMe, SiXworks, and BigID.

SOC 2 Type II certified and Cyber Essentials certified, with SLSA Level 2 build provenance and Docker Hub Verified Publisher status. Root is a contributing member of the Cloud Native Computing Foundation (CNCF), a global member of OWASP, and a voting member of OASIS, contributing to supply chain security and attestation standards. Remediation is backed by tiered service level agreements with CISA Known Exploited Vulnerabilities (KEV) escalation, targeting DevOps, platform, and security teams in regulated sectors such as defense and FinTech.