Chainguard Secures Legacy Infrastructure
Chainguard
Chainguard VMs turn a container security product into an infrastructure security product. Instead of only protecting software teams already running Docker and Kubernetes, Chainguard can now sell hardened VM images for the old estate that still runs Jenkins servers, Nginx gateways, Squid proxies, and language runtimes on cloud instances or on prem virtual machines. That matters because most large enterprises still operate a mixed fleet, and the security budget sits across that whole fleet, not just containers.
-
The practical workflow is simple. A platform team swaps in a Chainguard base VM or app VM, gets a smaller image with fewer packages, daily rebuilt artifacts, SBOMs, and compliance reporting in the same console they already use for Chainguard Images. That makes VMs a natural extension of the existing product, not a separate tool.
-
This also widens the market beyond the roughly $1B container security segment into the hardened VM layer, estimated at about $3B, where Red Hat is the clearest incumbent. It lets Chainguard sell into enterprises that want the outcome of fewer vulnerabilities before they finish a full container migration, which can take years.
-
The competitive shift is important. Docker and Wiz are pushing further into secure images for container workflows, while Red Hat has the strongest position in traditional enterprise infrastructure. By adding VMs, Chainguard stops being boxed into cloud native teams and starts competing for the broader operating system and middleware layer across both modern and legacy environments.
The next step is for Chainguard to become the default hardened software layer across containers, libraries, and VMs. If that happens, enterprises will buy one supplier to secure both new Kubernetes workloads and the older virtual machines that still run critical internal systems, which raises contract size and makes Chainguard harder to replace.