talking to Chainguard. dear lord they’ve apparently established a license to print money. they’re in very good shape. huge amount of progress in the last 18 months
The above quote is from me posting on linkedin a few months pack. Chainguard essentially built a market from scratch for Secure Hardened Container Images with guarantees against Common Vulnerabilities and Exposures (CVEs), hitting the knee in the curve last year, with a huge growth in customer logos, and an associated revenue burst. We have rarely seen competitors coalesce around an opportunity so quickly – Docker, SUSE, Root.io, RapidFort are all pushing hard to win market share against the newly minted market incumbent. Replicated is pivoting into the space with SecureBuild. The latest company to join the fray is perhaps surprising – Wiz just announced WizOS, a hardened Linux distro with its own build pipeline and security model. Cloud security vendor goes after developer build security, an adjacency.
When Chainguard was founded in 2021, it initially focused on securing the software supply chain by improving SBOM (Software Bill of Materials) generation, signing, and verification. The company’s early offerings were built around software provenance tools – notably Sigstore and Cosign. The real need however was for secure-by-default software, and that’s the approach it now takes, with its own container-native “un-distro” Wolfi. Images are minimal & hardened, only includes what’s necessary (for example they don’t include the shell, package manager, or unnecessary binaries), reducing the attack surface.
Linux distributions of the pre-cloud era were not designed for kind of rapid change we see in software development today, with packages being downloaded and used in new software builds in an ongoing basis. Containers changed the game. The need for a more real time approach to updating images maps to today’s software delivery lifecycle requirements. Organisations want to be feel confident their developers are not using packages with known CVEs. Playing patching whack-a-mole sucks, and it’s bad for business. That’s the opportunity.
There’s going to be even more competition, which should be good for customers, and good for secure software supply chains everywhere. So far the claim from these new market entrants has mostly been that Chainguard is expensive, but they’re going to need to sharpen their attacks and do better from a product management perspective to really cut through. For example, Chainguard now supports virtual machines as well as containers. That said, platform incumbency is a huge advantage, so you can’t write off competitors.
If you’re an organisation using containers, or just shipping regularly, you really need to consider a Hardened Images platform. They can be a core foundation for better, faster, more secure, software delivery. Security is actually shifted left, because developers are using trusted images. Move fast and trust things.
This post certainly isn’t intended a thorough comparison of market competitors, but was triggered by the news about WizOS, which again, surprised me. The market opportunity is very real.
disclosure: Chainguard and Docker are both clients.
No Comments