What If We Could Fix Vulnerabilities Faster Than We Find Them?

Description

In the recent episode of The Security Strategist Podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, sat down with John Amaral, Co-Founder and CTO of Root. They discussed how automation, AI agents, and a new approach called “Shift Out” are changing vulnerability management. Amaral, who has decades of experience in security leadership, argues for moving beyond the industry’s traditional “shift left” concept. He believes organisations should focus on systems that prioritise scale, speed, and effective fixes. Why Shift Left Failed Amaral says the “shift left” promise never came true. Even with positive intentions, sending vulnerability lists back to developers created overloaded backlogs and slow remediation times, resulting in frustration for everyone involved. Engineers are experts in their application code, but not in the vast and complex open-source libraries their software relies on. When security scanners present hundreds of CVEs, “roadmap wins out over security,” Amaral explains. Often, maintainers only patch newer versions, leaving production teams stuck with outdated releases and no safe upgrade options. Shift Out is Root’s solution to this flawed workflow. Instead of adding to developers' workloads, organisations can assign the entire fix process—including patch creation, testing, and delivery—to an automated system led by domain experts. “Don’t give it to developers, give it to us,” The Root co-founder states. “We’ll take it.” Takeaways AI is revolutionising vulnerability management. Shift Out is a new approach to security. Automation can alleviate the burden on developers. Trust is essential for adopting new security solutions. Open source maintenance is crucial for security. Backported patches benefit the wider community. Traditional methods of vulnerability management are becoming obsolete. Organisations need to start with secure libraries. AI can provide scalable security solutions. The future of security lies in automation and AI. Chapters 00:00 Introduction to AI in Vulnerability Management 03:06 The Shift Out Mindset 05:51 Make vs. Buy: The Agent Dilemma 09:02 Building Trust with Customers 11:54 Open Source and Backported Patches 14:59 The Future of Vulnerability Management About Root Root eradicates the CVE grind by delivering open source software that is free of known vulnerabilities, secure by default, and ready to use without additional engineering effort. Powered by thousands of specialised AI agents, Root continuously detects, patches, tests, and ships fixed components across any tech stack in minutes—with full transparency, no forced upgrades, and no vendor-locked images.