This discussion at Chainguard Assemble 2026 examines software supply chain security, the role of artificial intelligence, software bill of materials, and the Anchore–Chainguard partnership. Neil Levine of Anchore, senior vice president of product, outlines Anchore's approach to hardening the software supply chain through continuous cataloging, policy enforcement and automated assessment. Levine presents product strategy for scaling product-security workflows across development and production environments. They emphasize that software bill of materials, SBOM, provide a foundation for transparency while artificial intelligence, AI, changes dependency profiles and increases complexity.
The discussion is hosted by Rebecca Knight with analyst Paul Nashawaty. Key takeaways include Levine's assessment that SBOM remain essential but must pair with continuous automated policy checks to manage escalating complexity introduced by AI and open source software. They note attackers leverage AI to expand attack surfaces, requiring security automation to scale product-security teams. The hosts and analysts highlight that Anchore and Chainguard together address the last-mile compliance challenge, helping engineering teams deliver secure software more quickly.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Chainguard Assemble 2026. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Register for Chainguard Assemble 2026
Please fill out the information below. You will receive an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for Chainguard Assemble 2026.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Chainguard Assemble 2026. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Sign in to gain access to Chainguard Assemble 2026
Please sign in with LinkedIn to continue to Chainguard Assemble 2026. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Neil Levine, Anchore
This discussion at Chainguard Assemble 2026 examines software supply chain security, the role of artificial intelligence, software bill of materials, and the Anchore–Chainguard partnership. Neil Levine of Anchore, senior vice president of product, outlines Anchore's approach to hardening the software supply chain through continuous cataloging, policy enforcement and automated assessment. Levine presents product strategy for scaling product-security workflows across development and production environments. They emphasize that software bill of materials, SBOM, provide a foundation for transparency while artificial intelligence, AI, changes dependency profiles and increases complexity.
The discussion is hosted by Rebecca Knight with analyst Paul Nashawaty. Key takeaways include Levine's assessment that SBOM remain essential but must pair with continuous automated policy checks to manage escalating complexity introduced by AI and open source software. They note attackers leverage AI to expand attack surfaces, requiring security automation to scale product-security teams. The hosts and analysts highlight that Anchore and Chainguard together address the last-mile compliance challenge, helping engineering teams deliver secure software more quickly.
Practice Lead and Principal AnalysttheCUBE Research
HOST
Rebecca Knight
HostSiliconANGLE Media
HOST
In this interview from Chainguard Assemble 2026 in New York City, Neil Levine, senior vice president of product at Anchore, joins theCUBE's Rebecca Knight and theCUBE Research's Paul Nashawaty to discuss how AI-generated code is dramatically expanding the software supply chain attack surface. Levine explains that AI introduces dependencies without human discretion — pulling in unfamiliar packages or even writing its own — making it far harder for organizations to know what is actually running in their environments. He highlights how SBOMs have matured from a ...Read more
exploreKeep Exploring
Describe your role at Anchore and explain what Anchore does for people who might be less familiar with it.add
How can organizations gain transparency into what software they use (e.g., via SBOMs) and scale continuous, automated product security assessments—potentially using AI—given the complexity and limited security staffing?add
How has the shift to cloud, DevOps, and CI/CD affected application security, and how are security tools and vendors addressing the gap?add
>> Welcome back, everyone, to theCUBE's coverage of Chainguard Assemble here in New York City. I'm your host, Rebecca Knight, alongside Paul Nashawaty, principal analyst. We have Neil Levine. He is the SVP of product at Anchore. Welcome, Neil.
Neil Levine
>> Thank you.
Rebecca Knight
>> Direct from Berkeley, California.
Neil Levine
>> That's correct. Thank you for having me.
Rebecca Knight
>> So Anchore sits at the intersection of visibility, policy enforcement, and governance across the software supply chain, which sounds incredibly important and exceedingly complicated, but also a little abstract. Why don't you tell our viewers a little bit about what you do at Anchore and explain Anchore for people who might be less familiar?
Neil Levine
>> Sure. Of course. So I run product management, so responsible for the product strategy, the product roadmap. And what Anchore does is yep, we're trying to help harden the software supply chain, make it more secure. And a way we do that is by monitoring every piece of software that goes through a customer's environment, trying to catalog it, to work out what it is, what problems it might have, and ultimately trying to apply policies to make sure that it's safe and it's ready to go out to your customers or to run. So essentially, making sure that last mile compliance has got all the green check marks on it. So it's a continuous platform for just making sure that you've got no bad software in your environment and that everything's ready to go.
Paul Nashawaty
>> Yeah. Well, the software supply chain has gone through major changes. Most certainly has gone through changes in last year in itself, just with introduction of AI. The thing that I hear quite a bit from many organizations is complexity and skill gap issues are major challenges. So when we start seeing the development across, whether it's the citizen developer or the professional developer, and they're using software supply chains in order to build their code out, what is the area where you see this as how it can be changed, and how has AI impacted the software supply chain, especially over the last year?
Neil Levine
>> Yeah, the past year has been pretty intense. I mean, I wake up every morning, and I check my news feeds, and there's always at least one major security announcement that's going on, which makes you feel like you're doing something good because there's a lot of problems out there. And yeah, the changes, AI is definitely part of that. There's been an acceleration of attackers using AI to find exploits, which it's only going to get worse over the next few years. And just I think in general, companies have become so much more aware of their attack surface around their use of open source. And so just the level of concern in the C-suite has gone up massively. About 15, 20 years ago, the use of open source was seen as this completely unalloyed, amazing, beautiful gift that was given to developers, all this free software to use. What's not to like? And now I think companies have flipped, and it's, "Oh, my God, we've got open source everywhere. We're using open source everywhere." It's really scary because they see all of these attacks, and they're going up. And so that's what makes companies like Chainguard and Anchore so critical of this, because I think they've now realized that the risk is not just out in production where it used to be when defend with firewalls and so on. It's actually every software developers and every part of the software development process is a potential risk factor now.
Rebecca Knight
>> So, from a risk perspective, what specifically changes when code is being written by AI versus when it's being written by a human who at least theoretically has a read of what they're pulling in?
Neil Levine
>> So I think there's two areas of what's changed. One, as Paul was saying, is the complexity. It used to be a couple of years ago, you could say, "Oh, we're a Java shop. We're a Python shop. We know what we're using." Now you don't. AI will bring in whatever it thinks is necessary, and so just a range of different software you have in your environment is so much greater and so much more diverse. You also have a situation where AI sometimes is writing its own dependencies. It might not be bringing in something that's widely used or widely maintained. It might be writing its own dependencies to replace code or provide functions. And so you can't even trust the software is being developed by humans. There's no discretion necessarily applied by AI. It's just trying to get a job done. So the complexity and the identification aspect around software has really exacerbated the supply chain concerns that companies are having.
Paul Nashawaty
>> Yeah. We're seeing, at the keynote earlier today, you mentioned open source. We saw that adoption is taking off. It's going everywhere in the ecosystem. So when we look at Anchore's role in the securities software ecosystem, the traditional ways to examine software using SBOMs and doing vulnerability scanning and look check for CBEs and all this, that is morphing and changing. Can you touch a little bit about that? Especially in how it impacts, like what we're seeing here at Chainguard's event, how does that impact the organizations?
Neil Levine
>> So the first step is trying to help companies understand what they're using. Most companies don't actually know, as I said, the vast complexity of software they have. It's really unclear. It's opaque what they've got. So, Anchore is there to try and make it less opaque, to bring some transparency to do that. SBOMs are a core part of that. SBOMs, they've been in the news for the past couple of years, but we're now seeing a maturity of use and adoption because they do help you give that very first set of data. So you can ask the question, do I have this? The dependency. Do I have this piece of software? Which version of it? Am I exposed? Is it vulnerable? and so on. So SBOMs are still the foundation for that, and that's the transparency that we try and provide. But the second part is this, and the continuous automated assessment of that. We're at a point now where you can't have product security teams do that. The number of people in product security are just not there to monitor, and to inspect and evaluate, and apply policies. It has to be done in an automated fashion. It's not exactly how we're trying to change this to essentially give product security teams the way to scale with the use of AI is obviously growing up, but how do product security teams scale with the use of AI? And that's what we're trying to do to help manage that complexity in an automated fashion.
Rebecca Knight
>> So you have a partnership with Chainguard. Can you talk a little bit about that partnership and what is the gap that neither of your company can solve alone? How do your pieces fit together?
Neil Levine
>> Right. So Chainguard is the starting point. You consume their goods. They're giving you the ingredients to fill the fridge, fill the oven, but ultimately, you still need to check, is this thing ready to go to our customers? So that's what we do. We give you that perspective of you've consumed the software, you've probably added your own code on top, your own customer application, which is ultimately what you're selling or shipping. We help answer that question. Is it good to go? Is it ready? But there are other areas we've been working with Chainguard as well. There's a lot of compliance areas where Chainguard are helping harden these images to get them ready for compliance, but how do you prove they're compliant once they're actually in your software factory or in your development teams or ultimately out in production? So that's what we've worked with Chainguard to give that last mile compliance checklist and automated workflow to... So you can show your regulators or your GRC teams that you're now compliant and you have the evidence to prove it.
Paul Nashawaty
>> So when we start looking at the software development life cycle, when we start looking at the application releases and such, you talk about the ingredients and kind of putting it together, making it all work. There's a disconnect between the software delivery and development and the security delivery and development. So the partnership that you're talking about, when you have the ingredients, you're making sure that things are checks and balances are in place, that is bringing those two things closer together.
Neil Levine
>> Exactly.
Paul Nashawaty
>> Does that make sense?
Neil Levine
>> Yeah, exactly. That's right. So Chainguard ultimately giving the ingredients to developers to use, and I think the message which has resonated well is don't waste your time fixing vulnerabilities. We'll do it for you. So developers' lives have become much easier in that regard, but the product security teams are still the ones who actually have to give that final seal of approval. They're the ones who have the responsibility to say, "Our risk is low, this is good enough to go to our customers or go out to the end user or the partner, whoever it is." So yeah, exactly. Chainguard and Anchore allow you to combine that so you get both bases covered. You have the developers, more efficient, less time chasing security issues, but a product security team's also able to help make sure that the software is shipping much faster as a result of the use of the two technologies.
Rebecca Knight
>> So what does that unlock? If the developer is not having to deal with the noise of security issues and has less friction in their workflow, what changes would organizations see?
Neil Levine
>> I think ultimately it's speed; they get software out faster. They ship quicker, which is the goal of most organizations, is just to get those features out there quicker. And I think this is what all the supply chain attacks over the past year have shown, which was that they had the tools to write the features, but what was slowing down was the security and compliance, because there were so many issues, so many things that had to be vetted and checked before you could ship the software. And that was slowing down the organization as a whole. So, where you're competing on getting features and value out to customers, if security is that blocker, that's a problem. And that's essentially what Chainguard and Anchore are both trying to help you do is just get your features out to customers faster, allowing you to scale with limited amount of people, but with a lot of software going through, our products grease the wheels, as it were, of the organization.
Paul Nashawaty
>> So a lot of what we've been talking about and gathering around here is where we like to see the market shift, where the market is kind of going, where its organizations are trying to get to. I was on the vendor side of the world for about 25 years, hate to admit that long, but I was on there for 25 years. And I go to work like this, and I say my products were the greatest thing ever. One of the things that kind of comes to my mind is, I often forgot that what I was developing, my customers were not really going to be implementing for the next two to three years out. I guess what I'm asking here, because security and software development is happening so rapid, so fast, and so vulnerable, so to speak, is this adoption happening faster than I'm saying with regards to like what from the vendor world community, or is this something that's like, we're trying to get ahead of it before something happens?
Neil Levine
>> No, I think security's been playing catch up. If you look at a lot of the companies and the features and availability, whether it was just the cloud or the adoption of CI/CD, I think software development teams got the DevOps religion pretty early and they managed to ship software in this way, which was demonstrating how you can really adjust the market demands really quickly and to use the feedback really quickly. And security was left out of that initial wave of software development. It was like, let's not worry about security, let's just get the features out there. And I think what we've seen over the past certainly five years is security catching up where we got the software out to users, but it's riddled with security issues that's blowing back, that creates bad reputation risk for the company selling the software, gives users a bad taste or large organizations are very nervous about adopting software from companies that were "moving fast and breaking things".
So I think security has actually being missing, and that's the piece that has come to the fore over the past five years just because the market was demanding it. So we want these features, we want to consume them quickly, but we need to know they're secure at the same time. It's not enough just to get the new code. We need to have the new code, and it be secure at the same time. So I think a lot of what Anchore and Chainguard, the other vendors in the space, are doing is actually fulfilling the goal of what DevOps is trying to achieve 15, 20 years ago, which is continuous delivery of features, but now with security.
Rebecca Knight
>> So one year from now, right now we're at the second-ever Chainguard Assemble. Next year will be the third, of course. This company is growing so quickly, Anchore alongside of it too. What do you think we're going to be talking about next year at this time? What will be the big issues that will keep up at night and the big opportunities?
Neil Levine
>> Well, the attackers are endlessly innovative. So this is one downside of this industry is that often, the attackers set the agenda, and that's why AI has now come to the fore. It's definitely going to be AI again next year. All of the issues that we see with AI are just, they're the first wave of security concerns that are now coming to the fore, whether it's people hitting GitHub actions or attacking individual developers' accounts. This is just the beginning. So if you think about what the internet was like in '94, '95, and what it was like 20 years later, this is month one of where we are with AI related to attacks. So I can continue to see Chainguard looking to secure as much of the assets and processes that AI may be interacting with and/or trying to take advantage of. And we're in the same place. We've also got to respond to the challenges and the opportunities that AI is producing. So yeah, I'll put money on AI. I think it's an easy bet to make for-
Rebecca Knight
>> I will take that bet....
Neil Levine
>> a year from now.
Rebecca Knight
>> Exactly. Neil Levine, thank you so much for coming on the show. A great conversation-
Neil Levine
>> No. Thank you very much for your time. Thank you.
Rebecca Knight
>> I'm Rebecca Knight for Paul Nashawaty. Stay tuned for more of theCUBE's coverage of Chainguard Assemble. You're watching theCUBE, the leader in enterprise tech news and analysis.
