NOMINATION HIGHLIGHTS

Root.io addresses one of the most complex challenges in modern software: managing vulnerabilities in open-source and containerized environments. Open-source dependencies comprise the majority of modern software and contain 100% of known vulnerabilities. At the same time, AI-driven exploit tools have shrunk the gap between disclosure and attack to mere hours. Traditional patching cannot keep pace, leaving teams trapped in repetitive scan and patch cycles that drain resources, slow development, and expose enterprises to risk.

Root.io was founded to break this cycle. It repositioned software supply chain security to end the dependency between AppSec and developers. Rather than “shifting left,” Root enables “Shift Out”—where security and engineering teams operate independently but in parallel. Root is the first company to introduce Agentic Vulnerability Remediation, an AI-driven model that automates vulnerability detection, patching, and validation.

Rather than generating more alerts or forcing teams to rebuild containers, Root deploys specialized agents that remediate issues directly in the environment. It delivers zero-vulnerability containers that work with existing infrastructure—no rebasing, no rebuilds, and no CI/CD disruption. Every fix is tested against upstream test suites, real-world application behavior, and CVE-specific proof-of-fix logic. This ensures transparency and compliance, critical for the industries that Root serves.

Root delivers vulnerabilities already fixed, turning open-source from a liability into a built-in advantage. The result is the end of the patch cycle itself. Customers such as Six Works (an IBM company) and BigID trust Root to eliminate vulnerability backlogs, maintain audit readiness, and keep mission-critical systems secure without slowing developers down.

As one Root customer put it that made the switch: “Chainguard felt like magic, but we had no idea how they did that. The level of transparency is really important, especially when you’re working in defense—you have to basically justify everything that you’re doing, especially from a security point of view.”

The impact has been immediate. On average, Root reduces remediation times by 90 days, cuts false positives by 95%, lowers costs by 40%, and deploys in under 30 days.

Root represents the end of the patch cycle itself. By aligning developer velocity with uncompromising security, Root proves these aren’t competing priorities but complementary strengths. The CVE grind stops. Both sides freed. That’s Shift Out.