Home
Guides
v3.0
Guides
Start typing to search…

AVR Factory

The Agentic Vulnerability Remediation (AVR) Factory is Root's automated system that actually fixes vulnerabilities. This document explains what AVR is conceptually and how Root's remediation process works—building trust in how Root actually fixes things.

What is AVR?

AVR (Agentic Vulnerability Remediation) is Root's approach to automatically fixing vulnerabilities. Unlike manual patching or rebuild-from-source approaches, AVR uses specialized AI agents to:

  • Research vulnerabilities - understand what needs to be fixed
  • Generate patches - create fixes for the versions you're running
  • Test fixes - validate that patches work and don't break things
  • Deliver secured artifacts - images and libraries with vulnerabilities fixed

AVR is agentic because specialized agents handle different aspects of remediation (research, patching, testing) working together to fix vulnerabilities automatically.

The AVR Process

Root's AVR Factory follows a multi-stage process to fix vulnerabilities:

1. Scan and Detect

When a new CVE is published, Root's system:

  • Ingests the CVE - receives vulnerability information from multiple sources
  • Identifies affected components - determines which images or libraries are vulnerable
  • Triggers remediation - starts the AVR process automatically

This happens in seconds—no manual intervention, no scheduling delays.

2. Build Remediation Plan

Root's research agents:

  • Analyze the vulnerability - understand what needs to be fixed
  • Find upstream fixes - locate how the vulnerability was fixed upstream
  • Assess compatibility - determine if the fix works with your versions
  • Plan the remediation - create a remediation strategy

This research phase ensures Root understands the vulnerability and how to fix it before attempting remediation.

3. Apply Fixes

Root's patching agents:

  • Generate patches - create fixes for the specific versions you're running
  • Apply surgical backports - fix vulnerabilities without changing versions
  • Preserve compatibility - ensure fixes work with existing code

This is where Root differs from rebuild approaches—Root patches what you're using, not rebuilds from source.

4. Test and Validate

Root's testing system:

  • Tests patches - validates that fixes work correctly
  • Verifies compatibility - ensures nothing breaks
  • Confirms exploit blocking - proves vulnerabilities are actually fixed
  • Validates behavior - confirms normal functionality is preserved

This testing phase ensures Root delivers working fixes, not patches that break applications.

5. Rebuild and Deliver

Root's delivery system:

  • Rebuilds artifacts - creates secured images or libraries with patches applied
  • Signs artifacts - provides cryptographic attestations
  • Delivers updates - makes secured artifacts available

The result: you get secured artifacts (images or libraries) with vulnerabilities fixed, ready to use.

How This Differs from Rebuilds

Traditional Rebuild Approach

Other secure image providers:

  • Rebuild entire images from source
  • Force you to use their rebuilt versions
  • Require migrations to vendor registries
  • May introduce breaking changes

Problems:

  • Breaking changes from rebuilds
  • Forced migrations and vendor lock-in
  • Limited version support
  • No control over the rebuild process

Root's Patch Approach

Root's AVR Factory:

  • Patches existing images and libraries
  • Works with versions you're running
  • No forced migrations required
  • Preserves compatibility

Benefits:

  • No breaking changes
  • No vendor lock-in
  • Universal version support
  • You maintain control

Why AVR Matters

AVR enables Root to:

  • Fix vulnerabilities automatically - no manual patching required
  • Patch pinned versions - fix what you're running, not force upgrades
  • Deliver working fixes - tested and validated before delivery
  • Scale remediation - fix hundreds of vulnerabilities daily

This is fundamentally different from security tools that only scan or recommend. AVR actually fixes vulnerabilities in a way that works with your existing stack.

Trust in the Process

Root's AVR Factory builds trust through:

  • Transparency - artifacts (SBOM, VEX, provenance) explain what was fixed
  • Verifiability - you can verify Root's work through Patch Explorer
  • Testing - fixes are tested before delivery
  • Automation - consistent, repeatable remediation process

You don't have to trust Root blindly. Root provides the artifacts and visibility you need to verify that Root fixed what Root claims to have fixed.

Updated 11 days ago