Chainguard's Images Becoming Table Stakes

The real risk is that secure container images are moving from a stand alone product into bundled infrastructure. Chainguard wins today by giving platform teams drop in replacement images that remove vulnerable packages, ship signed SBOMs, and stay patched without internal toil. But once Docker, cloud platforms, and security suites ship similar images inside tools teams already use, the buyer stops paying extra just for cleaner base layers.

• Chainguard’s current wedge is concrete and valuable. Teams can swap a base image in a Dockerfile, get a rebuilt image with near zero known vulnerabilities, and offload the work of patching and provenance. That has supported rapid growth to about $40M ARR by January 2025.
  1 sacra 2 sacra
• The competitive pressure is also concrete. Docker launched Hardened Images in May 2025, then made more than 1,000 hardened images free and open source in December 2025, while selling premium enterprise support on top. That is exactly how a premium feature starts turning into table stakes.
  3 docker 4 docker
• Google and Wiz point in the same direction. Distroless gives developers free minimal base images, and WizOS extends hardened images into a broader cloud security platform. In that market, the standalone image is less important than who owns the full workflow around building, scanning, approving, and deploying software.
  6 wiz 7 github

This pushes Chainguard toward a broader platform. The next step is to sell security that travels with the whole software stack, across containers, language packages, and VMs, with faster patching, compliance evidence, and support that free bundled images do not provide. That is where premium pricing can keep holding.