Skip to main content
Root uses autonomous AI agents to research, patch, and validate vulnerability fixes. The Agentic Patching flow gives you full visibility into how each CVE is handled.

The AVR pipeline

Root’s Agentic Vulnerability Remediation operates in five stages. The Patcher Flow visualization shows each stage as it executes:
  1. Scan and detect — when a new CVE is published, Root ingests vulnerability data (NVD advisories, upstream commit history, exploit databases) and identifies affected components automatically.
  2. Build a remediation plan — research agents analyze the vulnerability in depth, locate upstream fixes, assess compatibility with the specific versions you’re running, and determine the right fix approach (backport vs. native package upgrade).
  3. Apply the fix — patching agents generate the fix for the exact version you’re running. Root patches existing software rather than rebuilding from source, preserving your dependencies.
  4. Test and validate — the patched artifact is validated against the package’s test suite, functional tests, CVE-specific regression tests confirming the exploit is blocked, and compatibility verification.
  5. Rebuild and deliver — the validated artifact is rebuilt with the patch applied, signed with cryptographic attestations (SBOM, VEX, provenance), and published to Root’s registries.
For the full conceptual overview, see Agentic Vulnerability Remediation.

Viewing the patching flow

From a CVE Details page

  1. Navigate to any CVE Details page.
  2. If Root has generated a patch, click Show in Agentic Factory.

From the Patcher Flow page

Navigate directly to app.root.io/patcher-flow:
1

Select a CVE

Enter the CVE ID, package name, package version, and ecosystem. The form validates that the CVE exists and has artifacts.
2

Watch the agent flow

The visualization animates each agent step. Click the info icon on any node for details.
3

Inspect artifacts

Click artifact buttons to view:
  • Patch diff - the code changes applied
  • Research report (report.md) - the Security Analyst’s findings
  • Metadata (metadata.json) - structured data about the fix

SLA and processing

Root’s remediation SLA timelines begin when both a CVE is published and a Fix Candidate is available in the ecosystem. There are two tiers: Standard SLA (included with all paid subscriptions):
SeverityTimelineCISA KEV
Critical30 calendar days72 hours
High30 calendar days72 hours
Medium60 calendar days
LowCommercially reasonable
Enhanced SLA (available at additional charge per Order Form):
SeverityTimelineCISA KEV
Critical7 calendar days48 hours
High14 calendar days48 hours
Medium30 calendar days
LowCommercially reasonable
For full SLA details including exclusions and surge conditions, see Root’s Service Level Agreement.
CVEs in images or libraries not subscribed by any active customer are tracked but do not trigger automatic agent runs.

Artifacts

ArtifactDescription
Patch diffMinimal unified diff fixing the vulnerability.
Research reportMarkdown document summarizing CVE, fix strategy, and validation.
MetadataJSON with CVE info, affected package, fix version, and provenance.
If a CVE was resolved by an upstream fix rather than a Root-generated patch, artifacts may not be available.