Key Takeaways

- Aikido Security acquired Root to add backporting capability, letting teams fix vulnerabilities without upgrading dependencies
- Backporting addresses a common pain point: roughly 1 in 4 CVE fixes break applications when teams upgrade to patch them
- The acquisition follows Aikido's $17 million Series A in January 2024, signaling continued expansion of its developer-first security platform
Aikido Security has acquired Root, a startup specializing in backporting security patches to older software versions. The deal gives Aikido's customers a way to fix vulnerabilities in open source dependencies without upgrading to newer versions, a process that frequently breaks production applications.
The acquisition targets a specific frustration for engineering teams. When a critical CVE drops in a dependency, the standard advice is to upgrade. But upgrading often means accepting breaking changes, rewriting integration code, or discovering that the new version conflicts with other parts of your stack. Root's technology applies security fixes directly to the version you're already running.
"We're giving developers a third option: fix the vulnerability in the version you're already using," said Willem Delbare, CEO and co-founder of Aikido Security.
Why backporting matters for production systems
Most codebases contain 85% or more open source components. Each dependency carries its own version history, its own CVE timeline, and its own upgrade path. When security scanners flag a vulnerability, teams face a calculation: How much risk does this CVE represent versus how much risk does the upgrade introduce?
Industry data suggests roughly one in four CVE fixes introduce breaking changes when teams attempt to upgrade. For enterprises running legacy systems or tightly coupled architectures, that ratio can be higher. The result is a backlog of unpatched vulnerabilities, not because teams ignore security, but because the cure threatens to be worse than the disease.
Root's AutoFix technology isolates the security-relevant code changes from a newer version and applies them to the older version the team is actually using. The dependency stays on its current major version. APIs remain stable. But the vulnerability gets patched.
Where this fits in Aikido's platform
Aikido positions itself as a developer-first security platform, consolidating SAST, DAST, SCA, secrets detection, and container scanning into a single interface. The company emerged from stealth in 2023 and raised a $17 million Series A in January 2024, led by Singular. A previous $5.3 million seed round came in April 2023.
Adding backporting extends Aikido's remediation capabilities. Most SCA tools stop at detection: they tell you a dependency has a known vulnerability. Some suggest an upgrade path. Aikido now claims to offer a third path that doesn't require version changes at all.
The company reports serving over 6,000 customers. Terms of the Root acquisition were not disclosed.
Competitive implications
The application security market is crowded. Snyk, Sonatype, Mend (formerly WhiteSource), and GitHub's Dependabot all offer dependency scanning and upgrade suggestions. JFrog acquired Vdoo in 2021 to bolster its security posture. None of these platforms currently offer backporting as a core feature.
Linux distributions have practiced backporting for decades. Red Hat and Canonical routinely patch security issues in older package versions to maintain stability for enterprise customers who can't upgrade on every release cycle. Aikido is applying the same logic to the npm, PyPI, and Maven ecosystems where most modern applications live.
Whether automated backporting can scale across the fragmented open source dependency graph remains an open question. A library with complex internal changes between versions may not accept a clean patch. Aikido will need to demonstrate coverage rates and reliability before enterprise security teams trust it for critical production workloads.
Logicity's Take
Backporting is unsexy but practical. Most security tools focus on detection velocity and dashboard polish. Aikido is betting that teams care more about closing vulnerabilities without destabilizing their systems. If Root's AutoFix works reliably across popular ecosystems, Aikido differentiates itself from Snyk and Mend on the axis that actually matters: getting to a patched state without a two-week refactoring sprint. Engineering leaders evaluating SCA tools should ask vendors directly about their remediation workflows, not just their CVE databases.
What engineering teams should watch
For DevOps teams running vulnerability management programs, the acquisition raises practical questions. Which package ecosystems does Root's backporting support today? What's the success rate on patches for high-profile CVEs? Does the patched dependency pass the same test suites as the official upstream release?
Aikido hasn't published detailed coverage metrics yet. Teams considering the platform should request specifics on their most critical dependencies before assuming backporting will solve their upgrade backlog.
Frequently Asked Questions
What is backporting in software security?
Backporting means applying a security fix from a newer software version to an older version you're currently using, without requiring a full upgrade.
Why would teams avoid upgrading dependencies to fix vulnerabilities?
Upgrades often introduce breaking API changes, compatibility issues, or require extensive testing. Roughly one in four CVE fixes break applications when teams upgrade.
How does Aikido's acquisition of Root change its platform?
Aikido can now offer vulnerability remediation that patches dependencies in place, rather than only suggesting upgrades like most SCA tools.
Which competitors offer similar backporting features?
Currently, major SCA vendors like Snyk, Sonatype, and Mend do not offer automated backporting. Linux distributions like Red Hat have done this for system packages, but not for npm/PyPI/Maven ecosystems.
Need Help Implementing This?
If you're evaluating application security platforms or building a vulnerability management workflow, reach out to our team at Logicity for guidance on tooling decisions and integration patterns.
Source: The New Stack / Paul Sawers
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.






