The time between a CVE being published and it being fixed in your environment is your exposure window. Without Root, this is measured in weeks or months. With Root, it’s measured in hours.Documentation Index
Fetch the complete documentation index at: https://docs.root.io/llms.txt
Use this file to discover all available pages before exploring further.
Without Root: The CVE Treadmill
A typical remediation cycle without Root:- CVE is published
- Scanner detects the vulnerability in your images or packages (hours to days later)
- AppSec triages the finding and opens a ticket (days later)
- Engineering receives the ticket and investigates (days to weeks later)
- A fix is applied, reviewed, and merged (weeks later)
- The fix is deployed to production (weeks to months later)
With Root: Automated Remediation
When a CVE is published for a package in your Root subscription:- Seconds - AVR ingests the CVE and identifies affected components
- Hours - Research agents analyze the vulnerability and build a remediation plan
- Hours to days (within SLA) - Patching agents generate and test the fix
- On delivery - The patched artifact is published at Root’s registries with updated SBOM, VEX, and provenance
- On your next pull/install - Your environment gets the fix
Exposure Window Reduction
The exposure window collapses from weeks or months to the time between CVE publication and your next deployment cycle - because Root has already done the remediation work before you even know the CVE exists.Continuous Coverage
Root doesn’t remediate once and stop. Every subscribed artifact is monitored continuously. When a new CVE is discovered for a package you’re using:- AVR automatically begins the remediation pipeline
- Your existing deployment gets a patched update at the same tag or version
- You receive notification of the new patch and updated artifacts