Skip to main content
Agentic Vulnerability Remediation (AVR) is the engine behind Root. Instead of identifying vulnerabilities and leaving remediation to your team, AVR fixes them — automatically, continuously, and at a scale no manual process can match. The term “agentic” reflects how AVR works: specialized AI agents handle different aspects of remediation collaboratively, operating as a fleet rather than a single model.

The Five Stages of AVR

1

Scan and Detect

When a new CVE is published, Root’s system ingests the vulnerability data within seconds — NVD advisories, upstream commit history, exploit databases, affected version ranges. Affected components are identified automatically, and remediation is triggered without any human intervention.
2

Build a Remediation Plan

Research agents analyze the vulnerability in depth: locating upstream fixes, assessing compatibility with the specific versions you’re running, and determining whether a backport or native distribution package upgrade is the right approach. This stage produces a precise remediation strategy before any code is changed.
3

Apply the Fix

Patching agents generate the fix for the exact version you’re running. Root patches existing software rather than rebuilding from source. If an upstream fix exists, it’s backported to your pinned version. This preserves compatibility — your dependencies don’t change, only the vulnerability is removed.
4

Test and Validate

The patched artifact is validated against multiple layers of testing: the package’s own test suite, functional tests, CVE-specific regression tests that confirm the exploit is blocked, and compatibility verification that confirms nothing else broke. A patch doesn’t ship until it passes.
5

Rebuild and Deliver

The validated artifact is rebuilt with the patch applied, signed with cryptographic attestations (SBOM, VEX, provenance), and published to Root’s registries. Your next docker pull or pip install gets the fix.

AVR vs. Rebuilding from Source

Other secure image providers rebuild entire images from source. This creates breaking changes, forces migrations to vendor registries, and limits version support. Root’s approach is different:
Rebuild ApproachRoot AVR
MethodRebuild entire image from upstream sourcePatch in place
Breaking changesPossibleNone
Registry migrationRequiredNot required
Version supportLimited to maintained versionsAny version
User controlReduced — tied to vendor’s buildFull — you validate and implement

Why AVR Scales

Manual CVE remediation is a per-ticket, per-engineer process. AVR handles hundreds of vulnerabilities daily across every subscribed artifact, operating continuously without fatigue or backlog. When a CVE is published, remediation starts within seconds — not after a standup.

Trust and Verifiability

AVR is built to be audited, not just trusted:
  • Transparency — every patched artifact documents what was fixed and how
  • Verifiability — Patch Explorer lets security teams review the full remediation for any artifact
  • Testing — fixes are validated before delivery; test results are included in the artifact’s provenance
  • Cryptographic attestation — SBOM, VEX, and provenance prove the artifact came from Root’s pipeline
See Root Artifacts for details on the full attestation model.