Announcing Chainguard's Series C! Also, Software Supply Chain Security Category Was Dead On Arrival

The cybersecurity market is crowded, noisy, and loud. New categories appear in analyst reports, get their hype cycle, confuse CISOs and security teams, and fade away just in time for the next wave to crest. The software supply chain security market is no exception, and in many ways even worse than average. The Solarwinds breach in 2020 and subsequent cybersecurity regulations from the Biden Administration amplified the nascent software supply chain space, but market immaturity is making it fade even faster than normal. Software supply chain security was dead on arrival.

The category can broadly be broken down into three areas, lumped together:

1. Rebranded SCA tools that market bells and whistles like reachability or malware detection to convince you they’re something different from what the market already provides;
2. SBOM platforms waiting for a government mandate to save them; and?
3. Well-intentioned attestation platforms that the market is five years too early to care about.

Existing SCA and CSPM tools are already good. Adding support for pipeline scanning and limiting noise is already on their roadmaps or in their products. Sonatype has flagged malicious code using behavior analytics for close to a decade now. Snyk has reachability analysis, and Wiz can scan CI/CD pipelines. These are all features, not core differentiators, and it’s going to take something novel to break through in this space. Also, the last thing anyone wants is another scanner adding more noise to their scan results and teams.

SBOMs just aren’t going to happen, at least not the way they’re currently envisioned or required by government regulations. Data quality is terrible, and incentives are not aligned to improve them at all. Rather than a set of tools and platforms making the entire network better, we’re left with a bunch of “check the box” compliance offerings hoping for a government mandate to require enterprises to buy their solutions.

Existing SCA tools already generate workable SBOMs, and trash bins are perfectly capable of storing them. CISA, the largest proponent of SBOMs within the federal government didn’t even include them in their self-attestation form because NIST largely excluded them from the SSDF. Don’t get me wrong — the idea could work, but it would take a long-term strategy carefully designed to align incentives around quality and accuracy to get us to a place where SBOMs can add value beyond black-box SCA tooling, and that’s just not happening.

And as much as I wish people cared about attestation, they don’t. The average company is still building on unpatched Jenkins servers under people’s desks and in closets. There are far more pressing concerns for every security team in the world, and cryptography is really hard to get right anyway. Outside of a few highly, highly, highly regulated use cases, these aren’t going to catch on at scale.?

Even if they do, GitHub and the CI/CD vendors are going to do this automatically, better than anyone else can because the platform layer is the right one to build this at. You’re either looking at complex, services-led retrofits into existing build systems or just waiting until folks adopt next-generation CI/CD pipelines where attestation happens transparently. Accenture will make a killing on the former, and GitHub/GitLab will capture the latter someday if anyone even cares.

End rant.?

With all that out of the way, I’d like to announce that Chainguard has raised $140M in Series C financing from Red Point Ventures, Lightspeed Venture Partners, and IVP, with participation from existing investors Sequoia Capital, Spark Capital, Mantis VC, and Amplify Partners to build and scale our version of a software supply chain security platform.

I know what you’re thinking: “I thought you just said the space was dead on arrival?” I did! The space is all wrong, and needs a different point of view to solve the important problems in this space, and that’s what we’re doing. Open source is 90 - 98% of the code in modern software development, and while layers of tools can help you identify problems in it, the average engineering or security team would rather get a root canal than add another pile of issues to their backlog. We need ways to fix these issues, not just add more to the pile with fancy filtering. And that’s what we’re building, the “Safe Source For Open Source.”

This is hard, toilsome work that never ends because open source never stops. This isn’t a new idea, but the rate at which open source is consumed in enterprises has increased dramatically over the last few years, and the ways in which it is developed and consumed have shifted as well. Existing solutions haven’t kept up with the pace or scaled to the new methods.?

Our Chainguard Images platform provides a safe, trusted way to build software on top of containers through a fully-managed open source supply chain. This isn’t a new tool or a scanner, we’re providing a secure software supply chain, starting at the root — open source. We’ve built a Software Factory that can securely build and maintain any open source software in the world. In our factory, we update and patch open source software as quickly as possible. As we funnel more software through the factory, our customers have more access to more secure software.?

We build, package, test, patch, triage, harden, scan, and secure every piece of code we ship. The results can feel like magic — zero CVEs in scan results — but it’s just a lot of hard work, automation, more hard work, and more automation. This is a business that doesn’t feel like it can scale, but we’re just replicating the work done by every security team trying to figure out what to do with their scan results centrally. We’re nowhere near done, but we’re betting that most people use mostly the same open source and that at scale, we can do this more securely, more efficiently, and just plain better than anyone trying to do this on their own.

Our bet is already paying off: Snowflake saw an 18X ROI moving their FedRAMP High environment to Chainguard Images. Another customer reduced vulnerability scan results from 18M to 5M in 30 days across their entire infrastructure. Another reduced CVEs by 96% and gave 10% of engineering’s time across thousands of developers back to developing to do what they do best – innovate. This is simply a better way to build software.

The business is growing faster than we imagined, and every quarter we’re shocked at both how much value we can deliver to our customers and how many more desperately need what we’re offering. Revenue grew by 600% in the two-and-a-half quarters we sold this product last year, and we’ve already tripled again this year. We’ve seen a 5X increase in our customer base year-over-year and more than doubled the size of our team to get Chainguard Images into the hands of as many customers as possible. Thank you to those who are already working with us, both customers and partners.?

This extra funding allows us to double down on growth across go-to-market with expansions into the U.S. Public Sector market and international expansion. It will also allow us to scale our Software Factory to move from just container images to provide a single, safe source for any open source software our customers need.?

Finally, as we scale, the security impact and criticality of our system also grows. Our software is already used in some of the most regulated (Federal government, finance, healthcare) and sensitive environments out there (data science, AI/ML) and that’s only going to increase. We need to continue pushing the industry forward on how we think about building systems and open source security in general. This means we need to make sure that our Software Factory isn’t just the most scalable one on the planet, it’s also the most secure.

I’d love to thank our hardworking and brilliant team for everything they’ve done to get us here. This all sounded crazy at first, but it’s clearly working, and we need to go faster. Our investors bet on us early and have also been a huge part of this mission. We couldn’t have done it without them.?

If any of this sounds fun, interesting, or you just have a morbid fascination with understanding and debugging build scripts and compilers, we’d love to have you join our team. We have a lot of roles open in basically every department. Check out our careers page and join us to deliver a better, more secure foundation for building software. More importantly, become a part of a team that lets developers do what they do best – develop!?