Ian Riopel, CEO and Co-Founder of Root.io – Interview Series

Ian Riopel, CEO and Co-Founder of Root.io, leads the company’s mission to secure the software supply chain with cloud-native solutions. With over 15 years in tech and cybersecurity, he has held leadership roles at Slim.AI and FXP, focusing on enterprise sales, go-to-market strategy, and public sector growth. He holds an ACE from MIT Sloan and is a graduate of the U.S. Army Intelligence School.

Root.io is a cloud-native security platform designed to help enterprises secure their software supply chain. By automating trust and compliance across development pipelines, Root.io enables faster, more reliable software delivery for modern DevOps teams.

What inspired the founding of Root, and how did the idea for Automated Vulnerability Remediation (AVR) come about?

Root was born from a deep frustration we repeatedly faced firsthand: organizations dedicating massive amounts of time and resources to chasing vulnerabilities that never fully went away. Triage had become the only defense against rapidly accruing CVE technical debt, but with the rate of emerging vulnerabilities, triage alone simply isn't enough anymore.

As maintainers of Slim Toolkit (formerly DockerSlim), we were already deeply engaged in container optimization and security. It was natural for us to ask: What if containers could proactively fix themselves as part of the standard software development lifecycle? Automated fixing, now known as Automated Vulnerability Remediation (“AVR”),  was our solution—an approach not focused on triage and list building, but automatically eliminates them, directly in your software, without introducing breaking changes.

Root was formerly known as Slim.AI—what prompted the rebrand, and how did the company evolve during that transition?

Slim.AI began as a tool to help developers minimize and optimize containers. But we soon realized our technology had evolved into something far more impactful: a powerful platform capable of proactively securing software for production at scale. The rebrand to Root captures this transformative shift—from a developer optimization tool to a robust security solution that empowers any organization to meet rigorous security demands around open-source software in minutes. Root embodies our mission: getting to the root of software risk and remediating vulnerabilities before they ever become incidents.

You've got a team with deep roots in cybersecurity, from Cisco, Trustwave, and Snyk. How did your collective experience shape the DNA of Root?

Our team has built security scanners, defended global enterprises, and architected solutions for some of the most sensitive and high-stakes infrastructures. We've grappled directly with the trade-offs between speed, security, and developer experience. This collective experience fundamentally shaped Root's DNA. We’re obsessed with automation and integration—not merely identifying security issues but solving them swiftly without creating new friction. Our experience informs every decision, ensuring that security accelerates innovation rather than slows it down.

Root claims to patch container vulnerabilities in seconds—no rebuilds, no downtime. How does your AVR technology actually work under the hood?

AVR works directly at the container layer, swiftly identifying vulnerable packages and patching or replacing them within the image itself—without requiring complex rebuilds. Think of it as seamlessly hot-swapping vulnerable code snippets with secure replacements while preserving your dependencies, layers, and runtime behaviors. No more waiting on upstream patches, no need to re-architect your pipelines. It's remediation at the speed of innovation.

Can you explain what sets Root apart from other security solutions like Chainguard or Rapidfort? What's your edge in this space?

Unlike Chainguard, which mandates rebuilds using curated images, or Rapidfort, which shrinks attack surfaces without directly addressing vulnerabilities, Root directly patches your existing container images. We seamlessly integrate into your pipeline without disruption—no friction, no handoffs. We're not here to replace your workflow, we're here to accelerate and enhance it. Every image that runs through Root essentially becomes a golden image—fully secured, transparent, controlled–delivering rapid ROI by slashing vulnerabilities and saving time. Our platform cuts remediation from weeks or days to just 120-180 seconds, enabling companies in highly regulated industries to eliminate months-long vulnerability backlogs in a single session.

Developers should be focused on building and shipping new products – not spending hours fixing security vulnerabilities, a time-consuming and often dreaded aspect of software development that stalls innovation. Worse, many of these vulnerabilities aren’t even their own – they stem from weaknesses in third-party vendors or open-source software projects, forcing teams to spend valuable hours fixing someone else’s problem.

Developers and R&D teams are among the largest cost centers in any organization, both in terms of human resources and the software and cloud infrastructure that supports them. Root alleviates this burden by leveraging agentic AI, rather than relying on teams of developers working around the clock to manually check and patch known vulnerabilities.

How does Root specifically leverage agentic AI to automate and streamline the vulnerability remediation process?

Our AVR engine uses agentic AI to replicate the thought processes and actions of a seasoned security engineer—rapidly assessing CVE impact, identifying the best available patches, rigorously testing, and safely applying fixes. It accomplishes in seconds what would otherwise require significant manual effort, scaling across thousands of images simultaneously. Every remediation teaches the system, continuously enhancing its effectiveness and adaptability, essentially embedding the expertise of a full-time security engineer directly into your images.

How does Root integrate into existing developer workflows without adding friction?

Root effortlessly integrates into existing workflows, plugging directly into your container registry or pipeline—no rebasing, no new agents, and no additional sidecars. Developers push images as usual, and Root handles patching and publishing updated images seamlessly in place or as new tags. Our solution remains invisible until needed, offering complete visibility through detailed audit trails, comprehensive SBOMs, and simple rollback options when desired.

How do you balance automation and control? For teams that want visibility and oversight, how customizable is Root?

At Root, automation enhances—not diminishes—control. Our platform is highly customizable, allowing teams to scale the level of automation to their specific needs. You decide what to auto-apply, when to involve manual review, and what to exclude. We provide extensive visibility through detailed diff views, changelogs, and impact analyses, ensuring security teams remain informed and empowered, never left in the dark.

With thousands of vulnerabilities fixed automatically, how do you ensure stability and avoid breaking dependencies or disrupting production?

Stability and reliability underpin every action that Root’s AVR takes. By default, we adopt a conservative approach, meticulously tracking dependency graphs, employing compatibility-aware patches, and rigorously testing every remediated image against all publicly available testing frameworks for open-source projects before deployment. Should an issue ever arise, it's caught early, and rollback is effortless. In practice, we’ve maintained less than a 0.1% failure rate across thousands of automated remediations.

As AI advances, so do potential attack surfaces. How is Root preparing for emerging AI-era security threats?

We view AI as both a potential threat vector and a defensive superpower. Root is proactively embedding resilience directly into the software supply chain, ensuring that containerized workloads—including complex AI/ML stacks—are continuously hardened. Our agentic AI evolves as threats evolve, autonomously adapting defenses faster than attackers can act. Our ultimate goal is autonomous software supply chain resilience: infrastructure that defends itself at the speed of emerging threats.

Thank you for the great interview, readers who wish to learn more should visit Root.io. 

The post Ian Riopel, CEO and Co-Founder of Root.io – Interview Series appeared first on Unite.AI.