> ## Documentation Index
> Fetch the complete documentation index at: https://docs.root.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Agentic Patching

> See how Root's AI agents research, analyze, and patch vulnerabilities in real time.

Root uses autonomous AI agents to research, patch, and validate vulnerability fixes. The Agentic Patching flow gives you full visibility into how each CVE is handled.

<Frame caption="The Agentic Factory view for a single CVE — Researcher agent, Patcher agent, and the resulting Merge Request, with report.md and metadata.json artifacts.">
  <img src="https://mintcdn.com/root-939307ed/cCjlTIX-fOzNh_rn/images/agentic-patching-flow.png?fit=max&auto=format&n=cCjlTIX-fOzNh_rn&q=85&s=eb7a93beb21da1bf83e81c8b48c4d203" width="2656" height="1494" data-path="images/agentic-patching-flow.png" />
</Frame>

## The AVR pipeline

Root's Agentic Vulnerability Remediation operates in five stages. The Patcher Flow visualization shows each stage as it executes:

1. **Scan and detect** — when a new CVE is published, Root ingests vulnerability data (NVD advisories, upstream commit history, exploit databases) and identifies affected components automatically.
2. **Build a remediation plan** — research agents analyze the vulnerability in depth, locate upstream fixes, assess compatibility with the specific versions you're running, and determine the right fix approach (backport vs. native package upgrade).
3. **Apply the fix** — patching agents generate the fix for the exact version you're running. Root patches existing software rather than rebuilding from source, preserving your dependencies.
4. **Test and validate** — the patched artifact is validated against the package's test suite, functional tests, CVE-specific regression tests confirming the exploit is blocked, and compatibility verification.
5. **Rebuild and deliver** — the validated artifact is rebuilt with the patch applied, signed with cryptographic attestations (SBOM, VEX, provenance), and published to Root's registries.

For the full conceptual overview, see [Agentic Vulnerability Remediation](/concepts/avr).

## Viewing the patching flow

### From a CVE Details page

1. Navigate to any [CVE Details](/platform/cve-details) page.
2. If Root has generated a patch, click **Show in Agentic Factory**.

### From the Patcher Flow page

Navigate directly to `app.root.io/patcher-flow`:

<Steps>
  <Step title="Select a CVE">
    Enter the CVE ID, package name, package version, and ecosystem. The form validates that the CVE exists and has artifacts.
  </Step>

  <Step title="Watch the agent flow">
    The visualization animates each agent step. Click the info icon on any node for details.
  </Step>

  <Step title="Inspect artifacts">
    Click artifact buttons to view:

    * **Patch diff** - the code changes applied
    * **Research report** (`report.md`) - the Security Analyst's findings
    * **Metadata** (`metadata.json`) - structured data about the fix
  </Step>
</Steps>

## SLA and processing

Root's remediation SLA timelines begin when **both** a CVE is published **and** a Fix Candidate is available in the ecosystem. There are two tiers:

**Standard SLA** (included with all paid subscriptions):

| Severity | Timeline                | CISA KEV |
| -------- | ----------------------- | -------- |
| Critical | 30 calendar days        | 72 hours |
| High     | 30 calendar days        | 72 hours |
| Medium   | 60 calendar days        | —        |
| Low      | Commercially reasonable | —        |

**Enhanced SLA** (available at additional charge per Order Form):

| Severity | Timeline                | CISA KEV |
| -------- | ----------------------- | -------- |
| Critical | 7 calendar days         | 48 hours |
| High     | 14 calendar days        | 48 hours |
| Medium   | 30 calendar days        | —        |
| Low      | Commercially reasonable | —        |

For full SLA details including exclusions and surge conditions, see [Root's Service Level Agreement](https://www.root.io/service-level-agreement).

<Info>
  CVEs in images or libraries not subscribed by any active customer are tracked but do not trigger automatic agent runs.
</Info>

## Artifacts

| Artifact            | Description                                                        |
| ------------------- | ------------------------------------------------------------------ |
| **Patch diff**      | Minimal unified diff fixing the vulnerability.                     |
| **Research report** | Markdown document summarizing CVE, fix strategy, and validation.   |
| **Metadata**        | JSON with CVE info, affected package, fix version, and provenance. |

If a CVE was resolved by an upstream fix rather than a Root-generated patch, artifacts may not be available.