Root Agentic Vulnerability Remediation

Stop shifting left. Shift Out.

Root Image Catalog (RIC) delivers continuously remediated, hardened base OS images bundled with official runtimes and frameworks. Access over 2,000+ secure container images with proven provenance, attestation, SBOM (CycloneDX), and VEX documentation - all rebuilt from source and validated continuously.

The Problem: Container security starts with the base image, but official images are riddled with vulnerabilities. Developers and security teams waste hours every week triaging CVEs in base layers. "Fix-forward" solutions from vendors like Chainguard and Wolfi require migration to custom, often incompatible base images, leading to months of re-engineering and broken builds.

The Root Solution: Root Image Catalog eliminates base image vulnerabilities entirely. We provide secure, hardened versions of the official images you already use - maintained and patched by our automated Agentic Vulnerability Remediation (AVR) platform.

Just change FROM ubuntu:22.04 to FROM cr.root.io/ubuntu:22.04. That's it.

Key Features:

• 2,000+ Curated Images: Hardened, continuously remediated versions of Alpine, Debian, Ubuntu, plus official runtimes like Python, Node, Java, Go, and 40+ more
• Full Version History: Access patched versions of any tag from the last 3-5 years. - Secure older, pinned dependencies without being forced to upgrade
• Built-From-Source Patching: Every patched artifact is rebuilt from source, ensuring no unknown binaries or hidden malware
• Zero Breaking Changes: Our images maintain native OS compatibility. If it worked on the official image, it works on the Root version
• Complete Proof Chain: Every image includes full security artifacts (SBOM, VEX, Attestation) to satisfy auditors
• Dual-Architecture Support: All images available for both AMD64 and ARM64 architectures

SLA-Backed Guarantee:

• Standard SLA: 30-day remediation for Critical/High vulnerabilities with 72-hour CISA KEV response
• Enhanced SLA: 7-day Critical/High remediation, 30-day Medium remediation, 72-hour CISA KEV response
• Service credits provided if registry SLA is missed

How It Works:

• Research: Collect everything known about the CVE - advisories, exploits, affected versions, upstream commits
• Patch: Apply the smallest safe fix. If an upgrade works, great. If not, backport it
• Test: Run package tests, functional tests, and CVE-specific tests to ensure the patch works and nothing breaks
• Replace: Deliver the fixed, fully tested image straight into your pipeline with full transparency

Integration:

• Works seamlessly with AWS ECR, Docker Hub, GCR/GAR, and GitLab
• No pipeline disruption - swap a single line in your Dockerfile
• Native integration with existing CI/CD workflows

Who It's For:

• Security Teams: Eliminate 60-70% of CVE noise from scanners; focus on high-impact application-level risks
• Platform & DevOps Teams: Standardize on a secure foundation; eliminate image drift and reduce maintenance overhead
• Developers: Pull secure images by default; never blocked by base image vulnerabilities. Zero learning curve, no migration required
• Compliance & GRC Teams: Generate audit-ready proof on demand for SOC 2, FedRAMP, and other regulatory requirements

Compliance:

• SOC 2 Type 2 certified
• SLSA Level 3 verified
• FIPS 140-2/3 ready
• FedRAMP ready

Results:

• Median remediation time: <5 minutes for common CVEs
• 300 -> 0 vulnerabilities in 24 hours (DeleteMe case study)
• Developer time reclaimed: 20-30% of sprint capacity
• 100% SLA adherence (Enhanced tier)