Chainguard

Chainguard plays a critical role in securing the software supply chain by creating secure base container images. The company verifies each line of code in the images used to create deployable containers in order to identify and remove vulnerabilities. These container images are then used by developers as trusted pieces of code allowing them to focus on building secure software instead of checking for vulnerabilities. As CEO Dan Lorenc states, Chainguard aims to “empower developers to focus on doing what they do best—writing great software—with a newfound confidence they are building upon a secure, vulnerability-free foundation.”

Tags

Cybersecurity

Founding Date

Oct 1, 2021

Headquarters

Kirkland, Washington

Total Funding

$ 256M

Status

Private

Stage

series c

Employees

101-250

Careers at Chainguard

Memo

Updated

February 27, 2025

Reading Time

27 min

Thesis

Cyberattacks on government institutions and large corporations have become increasingly prevalent in a world dependent on software. A frequent source for attacks is the software supply chain, a collection of software components and libraries developers use to deploy programs without creating custom code. For example, in 2020, the SolarWinds attack exposed the vulnerability of that software supply chain when hackers inserted malicious code into the company’s Orion IT monitoring software. The attack impacted 30K public and private organizations using the company’s software and led to an estimated $90 million in financial losses. The incident prompted the Biden Administration to issue an executive order to improve national cybersecurity.

Software supply chain attacks are expected to rise over time with 45% of global organizations expected to experience an attack in 2025, a 3x increase from 2021. These attacks are not limited to specific industries or organizations, with a study in February 2024 finding that 91% of surveyed public and private organizations in North America experienced an attack in the last 12 months. The software supply chain is particularly susceptible due to a reliance on third-party touchpoints and having over 90% of code derived from open-source origins.

Each year the number of software vulnerabilities increases to new records, with 18K vulnerabilities tracked in 2018 to 24K vulnerabilities in 2022. Attackers using vulnerabilities to breach the software supply chain increased by 130% from 2022 to 2023. The cost of these attacks is estimated to increase from $46 billion in 2023 to $138 billion in 2031.

Chainguard plays a critical role in securing the software supply chain by creating secure base container images. The company verifies each line of code in the images used to create deployable containers in order to identify and remove vulnerabilities. These container images are then used by developers as trusted pieces of code allowing them to focus on building secure software instead of checking for vulnerabilities. As CEO Dan Lorenc states, Chainguard aims to “empower developers to focus on doing what they do best—writing great software—with a newfound confidence they are building upon a secure, vulnerability-free foundation.”

With 70% of companies admitting their software supply chain is inadequate against security risks as of 2023, Chainguard’s elimination of vulnerabilities is crucial for organizations without large engineering teams using open-source software. The company’s images are now used by individual developers and large enterprise customers, including Anduril*, Snowflake, and GitLab. Chainguard’s image library consists of 80% of all open-source code, and the company is committed to becoming the leading source of safe, open-source code.

Weekly Newsletter

Subscribe to the Research Rundown

Founding Story

Source: Lightspeed

Chainguard was founded in October 2021 by Dan Lorenc (CEO), Matt Moore (CTO), Kim Lewandowski (CPO), Ville Aikas (Distinguished Engineer), and Scott Nichols. Prior to founding Chainguard, the team had collaborated on securing Google’s software supply chain and developing open-source security projects. Their previous experience made them acutely aware of the vulnerabilities and consequences associated with software supply chain attacks.

In 2012, Lorenc joined Google to help secure its code and databases from malicious actors. At Google, he contributed to Minikube, an open-source tool that sets up a local Kubernetes cluster on a developer’s personal machine. While working on Minikube, Lorenc realized malicious code could be added to the widely used tool due to minimal verification and the thousands of lines of code it contained. Verifying each line for exploits or vulnerabilities would be a painstaking process that could take weeks or months to complete. The consequences of undetected malicious code in software, Lorenc observed at Google, materialized during the SolarWinds attack in 2020.

Moore began his career at Microsoft in 2005 working on Phoenix, a software development kit, before joining Google. At Google, Moore served as a tech lead on container tool projects and was instrumental in creating Google’s Container Registry. Alongside Aikas, Moore helped found the Knative project, an open-source solution that enables serverless applications to be run on any Kubernetes platform. His significant contributions to Knative made it the primary solution for running serverless containers on Kubernetes. Moore observed a similar problem at Google as Lorenc had, where large companies had minimal oversight regarding the type and origin of the code they were running. Although Google had strengthened security controls, these solutions did not extend beyond the company.

Lewandowski served as a Product Manager at Google starting in 2014 before co-founding Chainguard. While at Google, she helped launch numerous cloud enterprise products and represented the company on the Governing Board of the Open Source Security Foundation. Prior to joining Google, Lewandowski began her security career at Lawrence Livermore Labs, building a search engine for biodefense data. She previously founded Spotwag, a startup that helps pet owners find reliable sitters, which was later acquired by Rover.

Aikas joined Google in 2007 and was a co-founder for Knative and later a tech lead for Google Cloud Storage. He was one of the original co-founders of Kubernetes and served as a member of the Technical Oversight Committee for Knative. Both Knative and Kubernetes are open-source tools that have become synonymous with containerization and container deployment. After leaving Google in 2019, Aikas served as a senior staff engineer at VMware before co-founding Chainguard in 2021. Both Aikas and Nichols had joined VMWare after leaving Google.

Nichols worked as a senior software engineer at Google beginning in 2015. He started at Google working on Chrome but transitioned to the Google Cloud team, where he developed the Kubernetes Services Catalog. Nichols also began contributing to and maintaining the Cloud Native Computing Foundation’s Cloud events project. Nichols left Google in 2019 to join VMware, working to expand the neutrality and diversity in the Knative community.

In the summer of 2021, Lorenc received a text from Moore proposing the creation of a startup focused on improving software supply chain security. Lorenc and Moore worked closely together at Google on container software and created the original “distroless” container image. Having worked together on open-source projects at Google, Aikas, Nichols, and Lewandowski also joined the founding team. At Google, the founding team had built SLSA and Sigstore, two significant open-source security projects. SLSA is a security framework designed to ensure artifact integrity in the software supply chain, while Sigstore allows developers to securely sign and verify software.

The founding team leveraged an executive order from the Biden Administration and began discussions with potential customers about their concerns regarding software supply chain security. The initial interest expressed by these organizations and a slew of supply chain attacks reinforced the team’s concerns about vulnerability risks. Due to the software supply chain’s reliance on open-source code, the founding team experimented with existing open-source projects to build a minimum viable product. Their previous experience with open-source projects provided them with valuable development knowledge and integrated them with the tight-knit open-source community.

In April 2022, the company launched an early access program to Chainguard Enforce, which enhanced the security of software supply chains by tracing the origins and cataloging the contents of containers. Around a month later, Chainguard announced the development of Chainguard Images, its flagship product aimed at protecting the software supply chain.

Product

Enforce

Source: Chainguard

Chainguard Enforce is the first product launched by the company to help developers validate and secure the deployment of container images. Enforce uses digital signatures for applications and is based on Sigstore, an open-source tool developed by the founding team. The tool enables developers to create and administer rules to protect their Kubernetes environment from supply chain attacks.

Once a container image is created or used, Enforce can authenticate it based on pre-configured security policies. If a policy is violated, Enforce alerts the developer and suggests solutions to mitigate the threat. The product also includes an “agentless” mode and integrates with build systems, such as Github Actions and CircleCI. These capabilities enable developers to identify the original environment of the source code and manage policies centrally.

While Enforce provides developers with a tool for risk management, it is not a proactive or comprehensive way to maintain supply chain security. One security analyst noted, “the Chainguard solution focuses on control gaps. Customers will still need a range of other tools and processes to address container security requirements.” The product entered general availability in September 2022, following an early access program that began in April.

Wolfi

Source: Github

Linux Distributions, commonly referred to as “distros”, are versions of the Linux Operating System created for specific developer needs. Numerous Linux Distributions exist, with the most popular being Ubuntu, Fedora, and openSUSE. These distributions offer developers a ready-to-use Linux operating system, eliminating the need to create one from scratch.

While Chainguard was creating secure container images, the company realized existing Linux Distributions were not well-suited for powering these images. Existing distributions lagged behind in updates and included unnecessary software that increased the surface area for security vulnerabilities. Chainguard recognized the only way to find a suitable distribution was to build its own cloud-native distribution for containers.

In September 2022, Chainguard launched Wolfi, a Linux distribution built to meet the security requirements of modern software supply chains. Named after the World’s smallest octopus, Wolfi is a minimalistic and flexible distribution for container and cloud-native environments. The company refers to Wolfi as an “undistro” because it does not include a Linux kernel, nor is it a full Linux Distribution. Wolfi prioritizes security by identifying and cataloging the components in a container. It provides a high-quality, build-time software bill of materials (SBOM) for all packages. The SBOM provides developers with a comprehensive manifest of all software contained in the packages. Each package in Wolfi is independent and built from source, allowing Chainguard to patch vulnerabilities or improve security for every aspect of the distribution.

While security features could be added to other Linux Distributions, Wolfi stands out as it is purposefully built for software supply chain security. For developers, understanding software components as early in the development lifecycle as possible reduces vulnerabilities that could arise or remain undetected later on. Adolfo Garcia, a software engineer at Chainguard, explains, how “for software, if you don’t have the capability to collect the information at build time, you’re going to be missing a lot about what’s in there.”

In addition to supporting Chainguard Images, Wolfi is built to integrate with Chainguard’s other solutions, creating a cohesive software ecosystem with minimal dependencies. This ecosystem reduces the amount of vulnerabilities and surface area that attackers can exploit. Consequently, developers can be confident about the reduced vulnerabilities and exploits within the foundation of their code, whether using Wolfi or Chainguard Images.

Images

Source: Chainguard

Containers are self-contained packages of code that bundle an application’s software together to run consistently across different environments. Images are blueprints of executable code with every package and dependency needed to create a container. However, since container images include numerous versions and types of software, they may harbor vulnerabilities that can compromise the security of the deployed application. These vulnerabilities are referred to as Common Vulnerabilities and Exposures (CVEs), which are publicly recognized cybersecurity risks.

Chainguard Images were created to offer secure-by-default base images that contain low-to-no CVEs and receive regular patches. Similar to Wolfi, these images are “distroless”, meaning they contain only essential components for an application, thereby reducing the surface area for potential CVEs. Lorenc and Moore created one of the original “distroless” images at Google as a proof of concept. Chainguard Images remove up to 80% of packages included in common container images and are 79% smaller than official images. These images are built using open-source projects like apko and melange, which provide declarative and reproducible builds with an itemized list of packages and dependencies.

Chainguard Images first launched in 2022 as a free public catalog for developers. A year later, the company announced the creation of a paid image catalog. These two catalogs have since evolved into two offerings: Developer Images and Production Images. Developer Images are free for individual developers and open-source software, while Production Images are subscription-based custom images for enterprises and organizations. The company also provides Federal Information Processing Standards (FIPS)-compliant images for customers needing to meet government standards.

Source: Chainguard

Initially focused on common open-source codebases and languages, Chainguard is now expanding into specialized images, such as those for AI and GPT, and even accepts custom orders. The company seeks to strike a balance between maintaining the security of open-source software with free-to-use container images and finding opportunities to monetize its catalog. Chainguard has reduced support for Developer Images to the most recent versions of software but encourages developers to reach out if they require containers to support open-source software.

Academy

Source: Chainguard

Chainguard Academy is an educational platform created to inform developers about software supply chain security and Chainguard’s products. Launched alongside Wolfi, this platform builds upon Chainguard’s previous educational partnerships with the Linux Foundation and EdX. The company aims to make Chainguard Academy an up-to-date hub for all topics related to software supply chain security.

As of April 2023, Chainguard Academy offers over 300 courses, tutorials, and videos covering subjects such as containers, supply chain visibility, and compliance. Participants earn badges for completing certain courses, such as Securing the AI/ML Supply Chain or Painless Vulnerability Management. The platform is open-source, allowing anyone to open a pull request on Chainguard Academy’s Github to suggest new topics for learning.

Chainguard Academy provides guides on Chainguard and open-source software supply chain products, such as Images, SLSA, and Wolfi. These guides help developers understand the purpose of these tools and how to implement them with Chainguard’s solutions. One Linux Foundation Research survey estimates one-third of developers are unfamiliar with secure software development practices. As a result, Chainguard Academy serves as a valuable resource for organizations and software professionals who want to secure their software supply chains. The educational platform also forwards the company’s mission to create a more secure software supply chain through increased awareness and education for developers.

Market

Customer

Chainguard offers container security solutions for individual developers and enterprise customers. In November 2024, the company announced a reduction in availability for free-to-use Developer Images, indicating a shift towards creating more comprehensive paid container images for enterprise customers. These customers often have large DevOps teams that prioritize security and compliance while working with open-source codebases and cloud-native environments. Selling to enterprise customers can be challenging, considering many organizations have traditionally relied on patching vulnerabilities after deployment. However, high-profile attacks and regulatory requirements for software supply chain security have created a pressing need for Chainguard’s solutions.

Chainguard’s customer base is diverse in size and industry but mainly consists of organizations seeking to improve their software supply chain security. As of February 2025, notable customers include Hewlett Packard Enterprise, Sourcegraph, Snowflake, and Wiz. Before Chainguard, customers relied on security tools to scan containers for vulnerabilities but there was no guarantee these tools could reduce or eliminate CVEs. For instance, Chainguard’s proactive image security has enabled Sourcegraph to achieve “inbox zero” for CVEs for the first time in two years, meaning no known CVEs were detected in their container images. Additionally, Snowflake observed an 18X ROI by moving its FEDRAMP High Environment, a data environment enforced by stringent government security standards, to Chainguard Images.

Market Size

Software supply chains are essential for every major organization and institution engaged in software development. As attacks on software supply chains become more frequent, the market for software supply chain security is rapidly expanding. In 2023, the market was valued at $12.6 billion and projections suggest growth could see that number exceed $30 billion by 2031.

The software supply chain security market includes different products and services that secure software at each stage of the development lifecycle. One significant component driving the software supply chain’s market growth is container security. Other solutions for software supply chain security encompass source code security, cloud infrastructure protection, and security for open-source components.

The container security market is valued at $1.5 billion in 2022 and is expected to grow at a compound annual growth rate of 26.5% from 2023 to 2030. Container security can be further divided into two subcategories: container scanning security and hardened container images. Container scanning is software that identifies and itemizes vulnerabilities in containers and container images. These tools provide developers with valuable information about supply chain threats but do not directly mitigate the vulnerabilities. In contrast, the hardened container images market consists of secure-by-default container images that contain low-to-no CVEs.

Chainguard operates within the hardened container images market through its product, Chainguard Images. The market for hardened container images is still developing, with Chainguard being a first mover.

Competition

Competitive Landscape

The competitive landscape for container security can be understood through two categories: container scanning and hardened container images. Container scanning is a solution offered by numerous cybersecurity startups, such as Snyk and Lacework, that focuses on detecting and listing vulnerabilities from a container. Hardened container images are pre-built container images with minimal to no CVEs. Chainguard operates in the hardened container images market by creating secure-by-default container images for developers across a variety of programs.

Chainguard considers itself a first-mover in creating an extensive catalog of vulnerability-free images for developers. Alternatives for hardened container images can come from the Center of Internet Security (CIS), a nonprofit that creates frameworks to safeguard organizations from cyber threats. Although these images are compliant with the organization’s benchmarks, CIS offers significantly fewer types of container images, which still may contain CVEs. Chainguard’s competitive focus is maintaining and expanding its image catalog, acting as an inherent moat, against larger cybersecurity firms that could encroach on market share by developing hardened container images.

Competitors

Wiz: Wiz is a cloud security company founded in 2020 to help organizations identify and mitigate risks within their cloud infrastructure. In May 2024, Wiz raised $1 billion in a Series E led by Andreessen Horowitz, Lightspeed Venture Partners, and Thrive. The round resulted in a valuation of $12 billion making Wiz one of the most valuable cybersecurity startups. After rejecting a $23 billion acquisition offer from Google in July 2024, the company was reportedly planning to use the funding for acquisitions to eventually prepare for an IPO.

Wiz offers container security solutions and retains significant resources that may allow it to create container images to compete with Chainguard. Through Wiz Guardrails, the company offers container security solutions from build to deployment. Wiz Guardrails scans containers to analyze the internal packages and dependencies, helping to detect existing vulnerabilities. Unlike Chainguard, Wiz Guardrails primarily focuses on monitoring containers for vulnerabilities.

Snyk: Snyk is a cybersecurity platform that integrates with developer workflows to reduce vulnerabilities in applications, infrastructure, and containers. The company was founded in 2015 and launched a vulnerability detection tool for open-source codebases as its initial product. Snyk raised $196 million in a Series G led by Qatar Investment Authority, with other investors such as G Squared, Sands Capital, and Tiger Global, achieving a $7.4 billion valuation. This valuation represents a 12% drop from Snyk’s previous valuation of $8.5 billion. In 2023, a secondary market deal further reduced Synk’s valuation to $3.3 billion. As of February 2025, Snyk’s valuation in secondary markets varied from $3.6 billion to $6.2 billion from some mutual funds, like T. Rowe Price.

Snyk’s mission to provide developer-oriented solutions for software supply chain security is similar to Chainguard. However, Snyk’s solutions are focused on assisting developers with identifying and patching vulnerabilities seamlessly in their workflows. Chainguard’s container images create a stronger foundation for building a program for developers by being earlier in the development lifecycle.

Sysdig: Founded in 2013, Sysdig specializes in container and cloud security, offering runtime protection and monitoring for cloud environments. Similar to Chainguard, Sysdig was founded as an open-source company, deploying solutions on Linux Operating Systems. Sysdig raised $350 million in a Series G led by Permira’s growth fund alongside investors such as Accel, Bain Capital Ventures, and Insight Partners. This financing propelled Sysdig’s valuation to $2.5 billion with an average ARR exceeding $875K across the company’s top 50 customers.

Sysdig’s mission is to provide comprehensive security for the cloud environment similar to Chainguard’s cloud-native focus. Although Sysdig offers container and Kubernetes security, it focuses on monitoring and blocking risky container images instead of creating images without CVEs. While these solutions address security concerns, they are more reactive compared to the proactive security features of Chainguard Images.

Lacework: Lacework was founded in 2015 and offers automated cloud security and compliance solutions. The company’s cloud-native platform automates anomaly detection by deriving security insights from ingested data. Lacework raised $1.3 billion in a Series D led by investors such as Sutter Hill Ventures, Altimeter Capital, and Tiger Global Management. The company was valued at $8.3 billion following the round. In 2024, news emerged regarding a potential acquisition of Lacework from Wiz, with a proposed valuation ranging from $150 million to $200 million. As of February 2025, investors like Franklin Templeton had Lacework’s valuation marked to $3.6 billion.

Lacework minimizes vulnerabilities with its cloud-native application protection platform (CNAPP). The platform is a security solution for the entire application lifecycle compared to Chainguard Images, which provides security at the beginning of development. While Lacework specializes solely in cloud security, Chainguard Images are offered for a broader array of applications, languages, and environments.

Business Model

Chainguard offers free and paid versions of secure container images in the form of Developer and Production Images. Developer Images are a select set of free-to-use container images with the latest version of software for independent developers. Production Images are paid container images that include all versions of software and specific image types depending on entitlements added to the subscription. The decision to offer free and paid container images allows open-source software to be maintained and independent developers to build secure software while providing paid enterprise-ready images for organizations.

Developer Images are publicly accessible and can be pulled from Chainguard’s Registry. These images are paired with the latest version of packages and comprise of limited base language images, databases, and utilities, such as git, jdk, python, and node. Chainguard reduced Developer Image offerings in November 2024, but the company still maintains these Images based on the latest version of packages. The reduction represents a shift for the company to focusing on producing more comprehensive Production Images for enterprise customers.

Production Images comprise of Developer Images plus enhanced container images, which can be added as entitlements to a subscription. Subscription pricing depends on the type of enhanced images added, which include Application Images, Base Images, FIPS Images, and AI Images. Purchasing Developer Images also grants customers access to Chainguard’s console and dedicated customer support for the implementation and management of images.

Source: Chainguard

Traction

In 2023, Chainguard Images became available to government agencies after Wolfi was accepted to Platform One, the U.S. Air Force’s DevSecOps platform. Wolfi’s addition to Platform One marked the beginning of the company’s collaboration with the U.S. government to secure the federal software supply chain. Shortly after Wolfi’s acceptance, the company announced in November 2023 that its ARR had tripled in the past six months.

After launching Chainguard Images at the beginning of 2024, the company saw a 600% growth in revenue over two and a half quarters. One unverified estimate of Chainguard’s revenue indicated the company may have generated ~$40 million in 2024. As of July 2024, Chainguard saw a 5x increase in its customer base year-over-year, which now includes federal agencies, financial institutions, and defense firms. The rapid growth at Chainguard attests to the growing demand in the overall hardened container images market. As of February 2025, Chainguard had nearly doubled the size of its team to enhance its container image catalog and strengthen go-to-market functions. New hires include Kendra Mitchel, its first Vice President of People, and Caitlin Quinlan, a Senior Vice President of Go-To-Market Strategy.

As of November 2024, Chainguard served over 100 enterprise customers, including Anduril*, Hewlett Packard Enterprise, Canva, and Wiz, with 1K secure container images. According to G2, the company ranked as the third best tool for container security behind Wiz and Lacework, at the end of 2024. By eliminating over 54K CVEs, the company claims to have saved customer teams over 216K engineering hours, equivalent to over 100 years of work.

Valuation

Chainguard raised $140 million in a Series C funding round in July 2024 at a $1.1 billion valuation, tripling the company’s value in less than one year. The Series C round was led by Redpoint Ventures, Lightspeed Venture Partners, and IVP with participation from existing investors Sequoia Capital and Spark Capital. The funding brings Chainguard’s total capital raised to $256 million as of February 2025.

Venture Capital funding for cybersecurity startups rebounded at the beginning of 2024 from $1.6 billion in Q4 2023 to $2.7 billion in Q1 2024 across 154 deals. However, in Q3 2024, funding for cybersecurity startups declined, mirroring the performance of the global funding market, with a decrease in deal flow of 41% compared to the previous year and 35% compared to Q2 2024. A survey of 400 private cloud companies revealed that cybersecurity cloud companies had the highest number of companies with $300 million in cash on their balance sheets.

Source: Crunchbase

Public cybersecurity firms had reached record levels of market capitalization at the end of 2024. Notable examples include ZScaler at $26 billion and Crowdstrike at $71 billion. Palo Alto Networks exceeded a $100 billion market capitalization, marking it the most valuable cybersecurity firm. These valuations represent the growing demand for cybersecurity services among large enterprise customers globally. Research from Bessemer Venture Partners also indicates public cloud cybersecurity companies outperform in terms of valuation multiples and revenue growth rates compared to public cloud infrastructure companies.

These publicly traded cybersecurity companies trade at a range of 12.7x to 25.3x LTM revenue. Based on one unverified estimate of Chainguard’s 2024 revenue at ~$40 million, the company’s July 2024 valuation of $1.1 billion would represent a 28x LTM revenue multiple.

Source: Koyfin

Key Opportunities

Barriers to Entry

Creating secure-by-default images is a painstaking process that has been attempted by numerous companies without success. The process involves building a Linux distribution as a secure foundation for the images and sifting through thousands of lines of code for vulnerabilities. After launching Chainguard Enforce, the company shifted its focus to the complex task of building secure container images, a challenge that even drew skepticism from investors. Lorenc acknowledged the magnitude of the undertaking, stating:

“Yes, just based on the sheer numbers, the lines of code we would need to pore over and adjust to make secure, it was daunting. Everyone else looked at it and saw it as too hard of a problem, too massive to actually solve. But it seemed obvious it was something we needed to do.”

A year later, the team officially launched Chainguard Images. The company’s expertise in open-source code and container images played a role in bringing the product to market faster than anticipated. The benefit of these images presented a potential competitive advantage against other cybersecurity firms and in the secure-by-default container image market. Maintaining container images takes drastically less time than their creation and provides Chainguard with knowledge of how to address previous vulnerabilities. With few competitors in the container image market, Chainguard has a first-mover opportunity that can establish trust with customers to become the standard for secure container images.

Cybersecurity Spend

Organizations are increasingly investing in cybersecurity due to the rise of severe cyberattacks targeting infrastructure and software. According to Gartner, cybersecurity spending is projected to reach $212 billion in 2025, a 15% increase from 2024. Budgets for cybersecurity are predicted to continue growing, with end-user spending predicted to reach $288.5 billion in 2027. As these budgets expand, organizations are seeking comprehensive security solutions for every aspect of their software infrastructure.

The high costs of software supply chain attacks have made securing the software supply chain a priority for many organizations. One 2023 report found that 70% of developers and 52% of Chief Information Security Officers (CISOs) view the software supply chain as a top priority. The majority of developers and CISOs believe software supply chain security will become increasingly important to organizations in the next 5 years.

Chainguard’s solutions are designed to address the existing and emerging customer demands for software supply chain and container image security. With most organizations using open-source code and container images, Chainguard Images integrate directly into existing development processes. Chainguard’s subscription model offers organizations the flexibility to choose different image types, catering to different cybersecurity budgets.

Regulatory Tailwinds

Following the SolarWinds attack, the Biden Administration announced an executive order requiring companies that do business with the government to adhere to stricter software compliance standards. The executive order underscored the need to improve national cybersecurity infrastructure and signaled a heightened regulatory push to secure federal and private software. As a result of these attacks and the executive order, organizations feel a new sense of urgency for strengthening their software supply chains.

Given private and public demand for software supply chain security, Chainguard is attempting to position itself to capitalize on the regulatory climate to secure a larger market share for container images. Chainguard’s existing and updated image catalog immediately offers organizations low-to-no CVE images, including those that meet federal compliance standards. These images are listed on Platform One and are already being used by government agencies as a trusted solution for software supply chain security. The company also has the opportunity to continually expand its compliance standards for images, including an arrangement with the Canadian Government to utilize Chainguard Images that started in January 2025.

Key Risks

Competition

A trend in the cybersecurity industry is the inevitable emergence of competitors and alternatives to existing products in the market. Although Chainguard considers itself a first mover for hardened container images, new competitive startups and solutions will arise as malicious actors develop innovative attack methods. Organizations are constantly seeking better alternatives to ensure their software development and infrastructure are secured. While there are large cybersecurity firms in the industry, Bessemer Venture Partners notes that the demand for alternatives prevents a few vendors from ever controlling the entire market.

While matching Chainguard’s image catalog is challenging, competitors may emerge for niche container images. The entry of these competitors requires Chainguard to continually expand its offerings. The company has already started offering AI and AI-GPU images in addition to commonly used languages and open-source software. Chainguard also accommodates customer requests for customized images. Expanding the image catalog and preserving existing security measures requires a delicate balance for Chainguard. Increasing the variety of images offered at the expense of security could open the door for increased competition in the container image market.

Evolving Threats

Attacks on the software supply chain have become increasingly frequent on organizations and government entities. One research report in 2022 revealed a staggering 742% increase in software supply chain attacks since 2019. Malware and vulnerabilities have also increased with 245K+ malicious packages being identified year-over-year as of September 2023, double the total found in years 2019-2022 combined. These evolving threats require cybersecurity firms to continually adapt their solutions to protect customer security and maintain market share.

The rise of new technologies utilized to carry out cyberattacks, such as AI, has complicated the cybersecurity landscape. These technologies generate uncertainty for cybersecurity firms and developers. For example, findings show that, as of January 2024, less than one in ten global executives believed AI will be more advantageous to attacks than defenders in the next two years.

The increasing complexity and frequency of attacks on software supply chains present risks for Chainguard. Failing to maintain the security of container images from new vulnerabilities or exploits results in unsecured container images being offered to developers. The frequency of attacks challenges Chainguard’s desire to create new image types. As Chainguard’s image catalog expands, maintaining low-to-no CVE images will require additional time and resources. Any delays or inability to address threats could undermine customer confidence in Chainguard’s products, potentially leading to increased competition and decreased demand.

Weekly Newsletter

Subscribe to the Research Rundown

Summary

The rise of cyberattacks has underscored the need for secure software at the beginning of the development lifecycle. Chainguard is a cybersecurity company that creates and maintains secure base container images, allowing developers to build software with packages and dependencies free of vulnerabilities. The company’s products enable developers and security teams to focus more on creating software and less on identifying and mitigating vulnerabilities.

The growth of Chainguard’s customer base and revenue signals a demand for secure container images. However, emerging competitors and vulnerabilities could challenge the company’s efforts to maintain market share. Chainguard’s success depends on its ability to continue expanding its catalog of container images while maintaining secure-by-default software.

*Contrary is an investor in Anduril Industries through one or more affiliates.

Important Disclosures

This material has been distributed solely for informational and educational purposes only and is not a solicitation or an offer to buy any security or to participate in any trading strategy. All material presented is compiled from sources believed to be reliable, but accuracy, adequacy, or completeness cannot be guaranteed, and Contrary LLC (Contrary LLC, together with its affiliates, “Contrary”) makes no representation as to its accuracy, adequacy, or completeness.

The information herein is based on Contrary beliefs, as well as certain assumptions regarding future events based on information available to Contrary on a formal and informal basis as of the date of this publication. The material may include projections or other forward-looking statements regarding future events, targets or expectations. Past performance of a company is no guarantee of future results. There is no guarantee that any opinions, forecasts, projections, risk assumptions, or commentary discussed herein will be realized. Actual experience may not reflect all of these opinions, forecasts, projections, risk assumptions, or commentary.

Contrary shall have no responsibility for: (i) determining that any opinions, forecasts, projections, risk assumptions, or commentary discussed herein is suitable for any particular reader; (ii) monitoring whether any opinions, forecasts, projections, risk assumptions, or commentary discussed herein continues to be suitable for any reader; or (iii) tailoring any opinions, forecasts, projections, risk assumptions, or commentary discussed herein to any particular reader’s objectives, guidelines, or restrictions. Receipt of this material does not, by itself, imply that Contrary has an advisory agreement, oral or otherwise, with any reader.

Contrary is registered with the Securities and Exchange Commission as an investment adviser under the Investment Advisers Act of 1940. The registration of Contrary in no way implies a certain level of skill or expertise or that the SEC has endorsed Contrary. Investment decisions for Contrary clients are made by Contrary. Please note that, although Contrary manages assets on behalf of Contrary clients, Contrary clients may take any position (whether positive or negative) with respect to the company described in this material. The information provided in this material does not represent any investment strategy that Contrary manages on behalf of, or recommends to, its clients.

Different types of investments involve varying degrees of risk, and there can be no assurance that the future performance of any specific investment, investment strategy, company or product made reference to directly or indirectly in this material, will be profitable, equal any corresponding indicated performance level(s), or be suitable for your portfolio. Due to rapidly changing market conditions and the complexity of investment decisions, supplemental information and other sources may be required to make informed investment decisions based on your individual investment objectives and suitability specifications. All expressions of opinions are subject to change without notice. Investors should seek financial advice regarding the appropriateness of investing in any security of the company discussed in this presentation.

Please see www.contrary.com/legal for additional important information.

Authors

Allen Shen

Senior Fellow

See articles

Resources

Chainguard Launches CPU/GPU Containers for AI Frameworks

The New Stack

August 14, 2024

A new unicorn in Seattle: Cybersecurity startup Chainguard raises $140M at $1.1B valuation

GeekWire

July 25, 2024

Why “Chainguard Images” is a game-changer for container vulnerabilities

AppSec Untangled

December 21, 2023

Battling the Trojan Horse in Open Source

Sequoia

November 1, 2023

A New Linux Tool Aims to Guard Against Supply Chain Attacks

WIRED

September 22, 2022

Chainguard Announces New Products and a Free Academy to Help Developers Secure the Software Supply Chain

PR Newswire

September 22, 2022

Dan Lorenc of Chainguard

The Tech Founder Odyssey

August 30, 2022

Similar Companies

Snyk

Cybersecurity
DevOps

Discover

CompaniesDeep DivesConversationsFellowshipAbout

Connect

Email
LinkedIn
Twitter
Subscribe

Powered by

© 2025 Contrary Research · All rights reserved

Privacy Policy

By navigating this website you agree to our privacy policy.