Bundled hardened images shift buying motion

This shows secured images are quickly becoming a bundle feature, not a standalone category. Docker and Wiz are taking something Chainguard sells as a core product and attaching it to products customers already buy, which changes the buying motion from net new security budget to a simple add on inside existing developer and cloud security workflows. That makes distribution and installed base as important as image quality.

• Docker launched Docker Hardened Images in May 2025 as a catalog of hardened container images tied to Docker Hub and existing developer workflows. That matters because Docker already sits where teams pull and publish images, so secure images can be sold at the registry layer instead of through a separate security purchase.
  2 docker 5 sacra
• Wiz launched WizOS in private preview in May 2025 as near zero CVE base images fully integrated with its cloud security platform. In practice, Wiz can tell a security team which running images to swap, enforce trusted image policies, and push adoption through the same console they already use for cloud risk and compliance.
  3 wiz 4 wiz
• Chainguard still has the cleanest wedge because it rebuilds images from source, strips unnecessary packages, continuously patches them, and sells them directly at roughly $20K to $30K per image per year. But once incumbents bundle similar images, the fight shifts from proving the problem to proving better coverage, faster patching, and expansion into packages and VMs.
  1 sacra 6 sacra

The category is heading toward platformization. Secure images will pull customers in, but the winners will be the vendors that turn one image swap into a broader control plane for packages, VMs, policy enforcement, SBOMs, and compliance evidence across the full software supply chain.