In the recent episode of The Security Strategist Podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, sat down with John Amaral, Co-Founder and CTO of Root. They discussed how automation, AI agents, and a new approach called “Shift Out” are changing vulnerability management.

Amaral, who has decades of experience in security leadership, argues for moving beyond the industry’s traditional “shift left” concept. He believes organisations should focus on systems that prioritise scale, speed, and effective fixes.

Why Shift Left Failed

Amaral says the “shift left” promise never came true. Even with positive intentions, sending vulnerability lists back to developers created overloaded backlogs and slow remediation times, resulting in frustration for everyone involved.

Engineers are experts in their application code, but not in the vast and complex open-source libraries their software relies on. When security scanners present hundreds of CVEs, “roadmap wins out over security,” Amaral explains. Often, maintainers only patch newer versions, leaving production teams stuck with outdated releases and no safe upgrade options.

Read: What is DevSecOps? and Why It Matters

Shift Out is Root’s solution to this flawed workflow. Instead of adding to developers' workloads, organisations can assign the entire fix process—including patch creation, testing, and delivery—to an automated system led by domain experts.

“Don’t give it to developers, give it to us,” The Root co-founder states. “We’ll take it.”

A New Standard for Open-Source Maintenance

When discussing the idea of an external system modifying customer code, Amaral clarifies that Root doesn’t alter first-party code. Instead, they fix the open-source libraries that customers use—libraries that are already out of their control.

Amaral points out that the current industry practice of blindly upgrading to new maintainer versions is much riskier. With the rise of supply-chain attacks, and maintainers often unable to apply fixes to older versions, companies increasingly face a troubling maintenance gap.

To build trust and transparency, Root publicly shares all of its backported patches in a GitHub repository. This allows maintainers, independent developers, and the broader open-source community to examine, use, or build upon Root’s work. “If people want to use them, they can,” Amaral states. “It’s our responsibility to make that available.”

Amaral’s message for technology leaders is that as AI changes the software landscape, organisations should adopt a remediation-first mindset. They should begin development with secure, pre-fixed libraries instead of rushing to address CVEs later. With AI-driven remediation now feasible at scale, maintaining secure software should become a standard practice, not an urgent afterthought.

Takeaways

  • AI is revolutionising vulnerability management.
  • Shift Out is a new approach to security.
  • Automation can alleviate the burden on developers.
  • Trust is essential for adopting new security solutions.
  • Open source maintenance is crucial for security.
  • Backported patches benefit the wider community.
  • Traditional methods of vulnerability management are becoming obsolete.
  • Organisations need to start with secure libraries.
  • AI can provide scalable security solutions.
  • The future of security lies in automation and AI.

Chapters

  • 00:00 Introduction to AI in Vulnerability Management
  • 03:06 The Shift Out Mindset
  • 05:51 Make vs. Buy: The Agent Dilemma
  • 09:02 Building Trust with Customers
  • 11:54 Open Source and Backported Patches
  • 14:59 The Future of Vulnerability Management

About Root

Root eradicates the CVE grind by delivering open source software that is free of known vulnerabilities, secure by default, and ready to use without additional engineering effort. Powered by thousands of specialised AI agents, Root continuously detects, patches, tests, and ships fixed components across any tech stack in minutes—with full transparency, no forced upgrades, and no vendor-locked images.

AppSec teams get immediate remediation without waiting on developers. Engineers stay focused on building products instead of managing patches. And organisations dramatically reduce exposure windows by moving security at AI speed. Root is building the backbone of the agentic software supply chain, where open source is secure from day one.