Ian Riopel, CEO and co-founder of Root.io, leads the company’s mission to protect the software supply chain with cloud-native solutions. He has 15 years in the field of technology and cybersecurity, holding leadership positions at Slim.ai and FXP, focusing on corporate sales, listing strategies and public sector growth. He has the trump card of MIT Sloan and graduated from the U.S. Army Intelligence Academy.
root.io is a cloud-native security platform designed to help businesses protect their software supply chains. By automating the trust and compliance of the development pipeline, root.io can provide faster and more reliable software delivery to modern DevOps teams.
What inspired the establishment of root causes and how the idea of automatic vulnerability remediation (AVR) came into being?
Root is derived from a deep sense of frustration, and we repeatedly face first-hand: organizations dedicated to a lot of time and resources to pursue vulnerability that has never completely disappeared. Triage has become the only defense against CVE technical debt, but with the speed of emerging loopholes, the three-leaf leaves alone are no longer enough.
As maintainers of Slim Toolkit (formerly Dockerslim), we have been deeply involved in container optimization and security. It’s natural for us to ask: What if containers can be actively repaired as part of the standard software development lifecycle? Automatic fixes, now called automatic vulnerability remediation (“AVR”), are our solution – a method that is not focused on classification and list building, but automatically eliminates them directly in the software without introducing disruptive changes.
root was formerly known as Slim.ai – what prompted the rebranding and how did the company grow during the transition period?
Slim.ai was originally a tool that helps developers minimize and optimize containers. But we quickly realized that our technology had evolved into something more influential: a powerful platform that could proactively protect production software for large-scale protection. The reinvention of roots captures this transformative shift – from developer optimization tools to powerful security solutions that enable any organization to meet the strict security needs of open source software in minutes. Root embodies our mission: to face the root causes of software risks and fix them in vulnerabilities before becoming an event.
You have a team of cybersecurity roots from Cisco, Trustwave and Snyk. How does your collective experience shape the DNA of roots?
Our team has built security scanners to defend businesses around the world and has architectural solutions for some of the most sensitive and high-risk infrastructures. We have directly hit the tradeoffs between speed, security and developer experience. This collective experience fundamentally forms the root DNA. We are obsessed with automation and integration, not just identifying security issues, but solving them quickly without creating new friction. Our experience provides information for every decision, ensuring security accelerates innovation rather than slows down.
Basically claiming to fix container vulnerabilities in seconds – no rebuild, no downtime. How does your AVR technology work under the hood?
AVR works directly on the container layer, quickly identifying vulnerable packages and patching or replacing them in the image itself without complex reconstruction. It can be considered as a vulnerable vulnerable snippet with secure replacement while preserving dependencies, layer, and runtime behavior. No longer waiting for upstream patches, no need to restructure your pipeline. This is remedial at the pace of innovation.
Can you explain what settings are different from other security solutions like Chainguard or Rapidfort? What are your strengths in this field?
Unlike Chainguard, Chainguard uses curated images or Rapidfort to rebuild, which narrows down the attack surface without directly addressing vulnerabilities, just patch your existing container image directly. We seamlessly integrate your pipe into your pipes without interruption – no friction, no handover. We are not here to replace your workflow, but here to accelerate and enhance it. Every image that runs essentially in a quality becomes a golden image – by cutting holes and saving time, a fast ROI that can be fixed, transparent, controlled. Our platform reduces remedies from weeks or days to just 120-180 seconds, allowing companies in highly regulated industries to eliminate months of vulnerability backlog in one meeting.
Developers should focus on building and shipping new products – without spending hours fixing security vulnerabilities, a time-consuming and often terrifying aspect of software development that can stagnate innovation. Worse, many of these vulnerabilities are not even their own – they stem from weaknesses in third-party vendors or open source software projects, forcing teams to spend valuable time solving other people’s problems.
Developers and R&D teams are one of the largest cost centers in any organization, whether it is human resources, as well as the software and cloud infrastructure that support them. Root reduces this burden by leveraging proxy AI, rather than relying on a team of developers working around the clock to manually check and patch known vulnerabilities.
How can the roots specifically utilize proxy AI automation and simplify the vulnerability remediation process?
Our AVR engine uses Agentic AI to replicate the thought processes and actions of experienced security engineers – sequentially assess the impact of CVE, identify the best available patches, rigorously test and safely apply fixes. It does something that otherwise requires a lot of manual effort in seconds, spanning thousands of images at the same time. Each restoration teaches the system to continuously enhance its effectiveness and adaptability, essentially embedding the expertise of a full-time security engineer directly into your images.
How does root integrate into existing developer workflows without increasing friction?
The roots are easily integrated into existing workflows, plugged directly into your container registry or pipeline, without retrieval, no new agents, and no other auxiliary devices. The developer presses the image as usual and then roots and releases the updated image, seamlessly or as a new label. Our solution has been invisible until needed and can provide full visibility through detailed audit trails, comprehensive SBOM and simple rollback options.
How do you balance automation and control? For teams who want visibility and supervision, how customizable are the roots?
At the root, automation enhances (rather than reduces) control. Our platform is very customizable, allowing teams to extend the level of automation to their specific needs. You decide what to enable automatically, when manual reviews are involved, and what to exclude. We provide extensive visibility through detailed DIFF perspectives, changes and impact analysis, ensuring security teams remain informed and authorized and never stayed in the dark.
With thousands of vulnerabilities fixed automatically, how do you ensure stability and avoid breaking dependencies or breaking production?
Stability and reliability are the root of the AVR to take every action. By default, we have adopted a conservative approach that carefully tracks dependency maps, adopts compatibility-attracting patches, and strictly tests each fixed image to target all publicly available testing frameworks before deployment for open source projects. If a problem arises, it has caught it very early and rolled back effortlessly. In fact, our failure rate is less than 0.1% in thousands of automated remedies.
As AI advances, so does potential attack surfaces. The AI-era security threat that is the root cause?
We believe that AI is both a potential threat vector and a defensive superpower. ROOT will proactively embed elasticity directly into the software supply chain, ensuring that the container’s workloads (including complex AI/ML stacks) continue to harden. As threats develop, our proxy AI evolves, adapting autonomously to defenses faster than attackers. Our ultimate goal is the resilience of the autonomous software supply chain: defending our infrastructure at the speed of emerging threats.
Thanks for your excellent interview, readers who hope to learn more should visit Root.io.
