At RSAC 2025, John Furrier of theCUBE Research sits down with Ryan Carlson, president of Chainguard, for a lively conversation on the future of security innovation. Carlson shares how Chainguard is reshaping the software supply chain, tackling open-source vulnerabilities and empowering companies of all sizes to develop safer, more efficient code.
Carlson dives into Chainguard’s vision, highlighting its cutting-edge approach to securing Kubernetes environments and streamlining software development. The discussion takes a look at real-world impacts, from reducing attack surfaces to supporting startups and Fortune 500 giants alike. Chainguard’s work is helping to set new standards across the security landscape, according to Carlson.
Key highlights include Chainguard’s $365 million Series D funding, a strong vote of confidence from the market. They unpack how Chainguard’s disruptive security strategies are gaining momentum, influencing industry best practices and helping developers stay productive while staying secure.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For RSAC Conference 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC Conference 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to RSAC Conference 2025
Please sign in with LinkedIn to continue to RSAC Conference 2025. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Ryan Carlson, Chainguard
At RSAC 2025, John Furrier of theCUBE Research sits down with Ryan Carlson, president of Chainguard, for a lively conversation on the future of security innovation. Carlson shares how Chainguard is reshaping the software supply chain, tackling open-source vulnerabilities and empowering companies of all sizes to develop safer, more efficient code.
Carlson dives into Chainguard’s vision, highlighting its cutting-edge approach to securing Kubernetes environments and streamlining software development. The discussion takes a look at real-world impacts, from reducing attack surfaces to supporting startups and Fortune 500 giants alike. Chainguard’s work is helping to set new standards across the security landscape, according to Carlson.
Key highlights include Chainguard’s $365 million Series D funding, a strong vote of confidence from the market. They unpack how Chainguard’s disruptive security strategies are gaining momentum, influencing industry best practices and helping developers stay productive while staying secure.
At RSAC 2025, John Furrier of theCUBE sits down with Ryan Carlson, President of Chainguard, for a lively conversation on the future of security innovation. Carlson shares how Chainguard is reshaping the software supply chain, tackling open-source vulnerabilities and empowering companies of all sizes to develop safer, more efficient code.
Carlson dives into Chainguard’s vision, highlighting its cutting-edge approach to securing Kubernetes environments and streamlining software development. The discussion takes a look at real-world impacts, from reduci...Read more
exploreKeep Exploring
What led to the realization that visibility and insight into software supply chains was valuable, but that actions were a bigger concern for customers?add
What are some of the challenges and lessons learned in building a company that is creating a new category in the market?add
What are some of the ways in which Chainguard is different from other security options on the market?add
What tech conferences and events does Chainguard attend to promote their products and reach potential customers?add
>> Welcome back, everyone, to theCUBE's
live coverage here in San Francisco, California, here for RSAC 2025. This is the biggest security
conference in the world, where business and the
tech leaders come together. Of course, theCUBE is extracting
the signal from the noise, and we've got a great lineup
of four and a half days. Really, the security industry
is at an inflection point, as we're starting to see
major replatformization. We are in the replatformization
era in security, and it's changing up and down the stack, from AI infrastructure, platform
engineering, cloud-native, to now full-blown integrated
LLMs, foundation models, all multimodal AI at the top of the stack, and of course, low code, no-code, more apps are hitting the scene. Ryan Carlson is here with
Chainguard. He's the president. Our good friend, Dustin Kirkland's VP of Engineering, shout out to Dustin. Ryan, thanks for coming on
theCUBE. I heard you're a neighbor for Dustin, too.
Ryan Carlson
>> Yeah, thanks for having me. Yeah, Dustin and I live about one
minute apart, randomly, and so we are a fully
remote company, but Dustin and I get to see each
other in person a lot. >> Yeah, have a barbecue, >> talk about the product roadmap,
see what's being built. >> Exactly. - All fun. Well,
we're big fans of Chainguard. >> Of course, we covered your
event. Again, small but growing.
Ryan Carlson
>> You guys have a very
unique product, getting inside the open source safety angle. Also, cloud-native, I love
what you're doing with LLMs, but I couldn't help see the news. I had to write it down.
$365 million raise, series D funding round at a huge $3. 5 billion valuation. Huge validation to what
you guys are doing. Congratulations on the news. How you feeling, pretty
good as the president?
Ryan Carlson
>> Yeah, no, I appreciate it. Thanks. Yeah, in many senses,
that is validation of what Chainguard has, but in
just as many senses, it's a validation of what
we have in front of us, that we now have a big
opportunity in front of us. We're just getting started and the extra funding certainly helps. >> It's like sports. You get that victory, you got another game, another round to go. Every time you do a milestone,
it's just the start line. Celebrate, but then move on, get ready for the next milestone. Talk about the funding and how that relates to
where you guys are at. Take us through one, the
market you're targeting and where the business is at right now.
Ryan Carlson
>> Yeah, well, Chainguard is riding a couple of massive waves. First, anybody that's using open source
software can be made better with Chainguard and anybody
who cares about keeping their company secure can be
benefited by Chainguard. Obviously, that's every
company on the planet. Our customers range from
series A startups building AI applications to Fortune
500, pharmaceutical and healthcare companies. It's the U.S. Federal government in multiple different divisions. It's software companies,
security companies. For us, what we're really doing with the additional investment
is trying to get this product and technology into every company's hands. They can all benefit from it. Now, we have more investment
to take it to them. >> You got a huge tam.
- Yes. >> Great market opportunity, hence the
Ryan Carlson
>> interest from the investors. Back in the old days of open source, the only real pain in
the butt thing you had to worry about was,
which license am I using? How's that going to impact my valuation? Now, the security piece, because of the mainstream of
whatever generation you want to call it, fifth, sixth, 10th,
open source now is standard. All builders are using open
source, the foundation models, all the AI models highly
accelerated with open source. Cloud, native, maturing,
still open source. Where's the security angle on that? How did this all get started? Did you guys come in from a, we want to make the code secure? Was it coming in from the platform side? What was the core problem that you guys narrowed in
that people were having?
Ryan Carlson
>> Yeah. Open source software
is the most secure version of software because you
have communities behind it, many organizations using it, so it's the most secure software out there, but it's not perfect. Chainguard's origins, we
built in our initial product that gave people visibility and insight into their
software supply chains. That visibility and insight
was valuable to everybody, but everybody, we brought
that first product to said, "This is great, but I
have a bigger problem. How do I fix this? " Visibility is important, but actions was a bigger concern for them. Sometimes, startups go through a pivot. I wouldn't describe what
we went through as a pivot, it's more of a deeper insight. We realized with the DNA of the founders and the early engineering team and the technology team that we've built, we know Kubernetes, one of our co-founders and one of the co-creators of Kubernetes. We know distro-less architectures. We know open source
software and how it's built and the nuances of packages
and libraries and dependencies. We realized we can help
people fix these things by rebuilding from source. Our products today are container images that are rebuilt from
source all the way through to registry, so people have
visibility and context, but really, what they're
getting is open source software with the vulnerabilities remediated. That led to a really deep insight. Most security solutions maybe
come at the expense of speed or most innovative solutions
come at the expense of security and risk. We feel like we can
solve a security problem and help companies go faster because we're doing work on
their open source software that they would have had to do themselves. >> Ryan, one of the things
that you bring up that I want to point out and would
love to get your thoughts and reaction to is, you guys are really solving the open source at scale problem. My example was when it
was a little bit slower, even patches, everyone
has the patches out there. I mean, these are little
things are human errors because time, toil, grunt work, but when you're running
at scale, large systems, large software environments, full supply chain is at play. This is new.
Ryan Carlson
>> Yeah, yeah. There's no analog. Chainguard isn't a modern version of a company that was doing this before. We sometimes say we are
competing with hundreds of thousands of engineers. They're employed by our
customers whose engineers are spending time in ways that we don't think they should anymore. Because we're doing this
in a centralized fashion and we've invested in what we
sometimes call the factory, you've talked to Dustin
about this, I'm sure, we can do this more thoroughly,
more comprehensively, more quickly than any one
organization could do themselves. Nobody loses when Chainguard
wins. Everybody benefits. >> Yeah. Also, it brings up the whole, not to get all entrepreneurial on you, but the classic conventional wisdom is, build a category, educate everyone. You guys built a category here and you said no pivot, pivot
means you stop and turn. It's not working. It was working. You guys just changed its trajectory. Talk about how you build the company. I call it by accident on purpose. You're in the market and
then you just ride that wave. You guys are building a category. What were some of the
learnings as you look back and look at what's happening
now, this category, you were just riding this wave
and what was the culture like and how did you guys operate through this? >> Yeah, it's a great question.
A lot of times when people
Ryan Carlson
>> want to build a category, everybody wants to build a category
because it's something new, it's something innovative,
it's something disruptive. >> VCs tell you.
- VCs tell you to do it.
Ryan Carlson
>> The challenge with that, I'm
a category creation skeptic. >> The challenge is, we're
walking into a customer saying, "I'm doing something that's
never been done before. " Guess who has budget for something that's never
been done before? Nobody. >> Zero budget. Yeah.
- Yeah. That's the challenge.
Ryan Carlson
>> The fact is that Chainguard
does not go into customers >> who have budget set aside for us because they didn't know
that we existed before, but we're able to very quickly demonstrate to them why this is a high ROI investment because we show them the
time they're spending on the engineering or platform side to fix a security problem is one that we can do better for them. You asked for some of the lessons learned. One of them is, we really
felt like we would do best by selling to chief security officers. That's why we're here
at the RSA conference and we thought that should be our focus. We learned very quickly that
focusing on CISOs is important for chainguard, but we have to
equally focus on CTOs, those who build the infrastructure
are building the software, whose team's time we're saving also benefit the security team. We are unique in many different ways. One of which is that CISOs and CTOs alike both benefit from Chainguard. >> You've got two stakeholders,
you've got the pain >> sufferers, and then you got the business benefit coming together. It's interesting you
mention about the category, my friend Paul Martino, founder
of Bullpen Capital, loves that you've been these on
little podcasts he's doing. He loves to invest in
zero to one companies. One of his companies is FanDuel.
There was no tan for that. No VC would invest in FanDuel. How many gamblers are out
there on for sports? Nobody. This is what happens. You
guys get traction, it grows. Now that you've got the
funding, you guys went from zero to one, now you've got
growth, you got two markets, you got the cloud native,
the pain sufferers, and now you're getting into
security conversations, which is big money, big stakes as well. I mean, operational
production is big stakes too, but breaches are greater
than production, I would say. Some people might debate that,
but you're now in two worlds. What's that like? How are
you threading that needle? There's no magic quadrant for a new category. Maybe there will be.
Ryan Carlson
>> Yeah.
- What's it like? What are you guys doing?
Ryan Carlson
>> We believe fundamentally, >> we help customers build
software in a better way. If we're a better way to build software, how do we start that conversation? Sometimes there's a compliance
event where somebody has to be compliant to a certain standard and removing vulnerabilities
are part and parcel with that. That's a very easy way for
us to start that discussion. What we also have found
is that, especially among security communities,
word of mouth travels fast. A year ago when we had to
introduce Chainguard to everybody, now we walk into conversations,
they've heard of us and we have to fill in the details and the details that
we're filling in now are what we do for container images. As you know, we've launched two
new products alongside that. We're now going up and down
the stack to help do what we do for container images for different types of open
source software as well. >> As you run the company, is
that a go-to market challenge? >> What are some of the challenges and things that you have to focus on?
Ryan Carlson
>> I think typically when any kind of iconic startup becomes
a really big company, they go from being a
single product company to multi-product companies. Where I think where most
companies fail when they bring multiple products into the mix
is they don't appreciate the fact that they might now have to sell those additional products to different types of people. With Chainguard, one of
the great things about what we're doing, we're
going from container images to now having VM container host images and also language libraries,
two very different types of open source software,
which we now address as well. We're still talking to the same teams. We now have three things to talk about with those same buyers. From a go-to-market standpoint, it's very much about educating
our teams to be conversant in what those do, the measure and quantify the value that
we're bringing to customers. Again, we're creating budget in many cases for something that didn't exist before. We have to show them quickly
why this is a good investment. >> I have to ask you since you're here, because this is a
masterclass side benefit. When you go into a company that
has no budget for a category that doesn't exist, they got
a fine budget from somewhere. How did that go down? Was the primary stakeholder,
obviously the developers that you were hitting
on the open source side, when did it pop up as a business benefit? Just the speed, the crappy
software? Was it software issue? I mean, I don't know. Tell
me how this all played out.
Ryan Carlson
>> Everybody's using open source software to a first approximation and everybody has to maintain
that open source software. Different companies and different
organizations experience that pain in different areas or to different lengths
and different extents. For us, we want to identify the pain that they're experiencing
and then try to solve it. Chainguard has four core
values at the company. The number one core value
is customer obsession. If we're obsessed with
solving our customer's pain, that usually leads to
the right discussion. It starts with first listening to how are they're doing things
today, where is that pain , and then attaching ourselves
to it in incredible way where we can solve that for them. >> How does a customer get involved? We have our own little AI
tool that's come out of all of our transfers called thecubeai. com, shameless plug. One of the most popular queries, not like we're like Google Zeitgeist and looking at the search, but one of the most popular queries, believe it or not is, are S-bombs secure? For people who don't
know what an S-bomb is, it's a software bill of materials. You get the Docker worlds. You mentioned software supply chain. S-bombs talks directly to
the software supply chain. Huge problem. What are some of the things you guys do
there on the action side? I think that's really where
the compelling value is because observability and
visibility is one thing. Is my supply chain secure? Then, what if, oh my god, it's not. What do I do? Who do you call?
Ryan Carlson
>> Yeah, so if we're fixing this stuff and rebuilding it from source, we're not just stripping out CVEs or vulnerabilities, we are also
building it in a modern way. We're doing things to
these container images that would make them streamlined for a production environment,
pull out a package manager or a shell that a developer might need, but you don't want in a
production environment. We're also including Sigstore
compliant S-bombs with all of our container images and
what we sometimes say is, "You can trust but verify that we're doing what we say from source all
the way through to registry. " That's part of it. Another thing that you asked, which I think is relevant here, is
when we're creating a category and we're doing something
fundamentally new, a big part of what we can do is educate people. We have a learning labs team that educates people on all
aspects of open source software, not just our products, but
how do you maintain it? What are the nuances of open
source software learning labs? Really, if we're educating
people on all the nuances around what we do, we're bringing them into the mix at the same time. >> Ryan, what came out of Google next for me when I was extracting
the data out of that show is that Google's DeepMind research
division is actually having impact into the product, not just some out in the weeds research. How important is research on your guys because I'm sure that must be compelling because with AI coming in, the velocity of new code is coming in. I mean, you can't swing a stick
these days without hitting some AI generated code. I mean, most of the people
are predicting a lot of code generations coming in, Cursor. These tools are pretty amazing.
Ryan Carlson
>> Yeah, we look at that in two ways. How is that affecting the market, and then how are we
leveraging it internally? As AI is affecting everything, things are changing
faster than ever before. People are moving faster than ever before. Engineers are building new and different things
faster than ever before. Open source software underpins all that. As people build more and
more things, that benefits us and that's more problems
that we can solve. Internally, we had the same
co-founder that helped co- create Kubernetes. He's working on an AI initiative
to really understand where and how we can use AI inside
the company to move faster. I mentioned it before, but a big part of Chainguard's value proposition for our customers is saving them time. We're making things more efficient. If we can use AI to
make us more efficient, we're multiplying the efficiency gains inside of our customers as well. >> I love Kubernetes because
now that it's mainstream, theCUBE's been to every KubeCon. In fact, I was in the room
when Kubernetes was hatched, when Google was talking about
open source in the paper, OpenStack was the rage back
then, if you remember OpenStack. We all had a vision of hey, that could maybe unify the industry around the interoperability. We didn't really use
the word orchestration, but we called it the TCPIP moment and that the world needed that. Amazon was growing. Now you're looking at where we are now, it's native. Is there a Chainguard native approach where you guys see yourselves as being native in the tool chain where it's like you guys are embedded almost like a compiler?
Ryan Carlson
>> Yeah, absolutely. I mentioned our customers range from startups to large companies. The startups who are building
their stack from the beginning can start with Chainguard
and save themselves the time that they would have had to spend. I just talked to a customer
this morning who has a containerization initiative
for their large infrastructure, and a big part of their
initiative will be Chainguard as the foundational layer
that helps them do it faster but also more securely. >> Talk about the customer. Let's take a minute to explain and unpack. How do I use Chainguard?
Take a minute to explain. I know it's a little bit going
backwards in the conversation a bit, but I want to
just get it out there. When do I know I need
Chainguard? How do I deploy it? How do I consume it?
How do I integrate it? How do I leverage it? Can
you share some use cases on how people are using you guys?
Ryan Carlson
>> Yeah, absolutely. I mentioned before, Chainguard is
different in a variety of ways. We're security that actually
speeds up innovation. We're security that
helps save engineers time and can pay for itself in
engineering productivity. Usually, those things are not. Another way in which Chainguard
is different is they're not coming in and saying,
"Here's a fundamentally different piece of software. " We're saying, "You're using
Java, you're using Python, you're using Go, you're using
Postgres, you're using MySQL. You're using thousands of
other open source technologies. We say keep using it,
just get it from us," and it's an oversimplification
to say you just swap out what you're using with Chainguard, but what we typically do is we
will integrate the container images that we provide to them in their existing CI/CD pipeline. It's very hard if you care
about security in a large organization to get the
development teams to change what they're doing to adopt
a new security approach. In this case, we don't have to tell them that they have to adopt something new. We say, "Use the open
source that you want to use, just get it from us," and then the toil around maintaining it is what we take away from it. >> I mean, switching costs are almost zero.
Ryan Carlson
>> Yes. I mention this all the time. >> One of the fastest growing
parts of our business are multiple different divisions in the U. S. Federal Government. If they can adopt it as quickly, you know
that they're switching costs as well. >> If they're moving fast, can you >> imagine what an enterprise could do?
Ryan Carlson
>> It's a testament to how
much pain we solve for them, that they move that fast as well. >> You guys got some cool stuff going on. I have to ask you, what's
the coolest thing you've seen come out Chainguard? Could be anecdotal, could be a customer, it could be internal. Tell me something cool that you guys are working on or you've seen. >> You know you're in an innovative
technology driven startup
Ryan Carlson
>> where new product features
come out that nobody asks for, and we have one that we
call CVE Visualizations. It's a challenge for us in some cases because customers get a
piece of software from us. They see no vulnerabilities
in that piece of software. They think something's wrong.
They're not used to that. So the product and engineering team came
out with a product called CVE Visualizations, which
makes it exceedingly clear how many CVEs we're removing
from their infrastructure, how much they can count on that over time, which really helps demonstrate
the ROI, but really proves and shows to them these are the problems we're solving for them. >> The customers must love that >> because they can see their fellow tribe working on their products proactively.
Ryan Carlson
>> Yes, exactly.
- All right, so now, >> I guess my final question
is, as president, you got a big fat round of finance and you guys are doing well, financially. Money's not an issue, but you do have to run the organization. What are your priorities
right now for the next year? Is it go to market, more
engineering, all of the above? You hiring? What's the focus? >> It is all things across the board.
Ryan Carlson
>> We are innovating more and
investing more in engineering and technology so we
can continue to expand and enhance the products we have. For example, a container
image today is something that has no CVEs, but we've
added capabilities to it, like what we call EOL grace period. Even if an open source piece
of software goes end of life, we can still maintain components of it after that and still add value. We continue to innovate and enhance our products in that way. Certainly, if we believe
that every company and every organization on
the planet can be made better with Chainguard, we have to
have people who can serve them. That's marketing, that's sales, that's the customer success
team that helps them get up and running and deployed and
live and using the product. We're very proud of the fact that when customers buy Chainguard's products, they end up buying more of it. Not because we're selling them more, but because they see the value that comes from it. They consume more. >> That's a great product market fit. Shows, you're still going to
hit the security conferences? Black Hat must be a big one for you too. That's where the tribe,
the groups come, more of a summer camp, as
they call it for techies, and Kubernetes is still critical.
Ryan Carlson
>> KubeCon is big for us everywhere we go, but any event where there are
people who care about security and any event where there people
who are building software, and so our calendars are full with all the events we go to
try to bring this together. >> Well, congratulations. Thanks for coming on,
theCUBE. Appreciate you.
Ryan Carlson
>> Thank you very much.
- Chainguard, hot growing startup, >> soon to be public with
the pace they're going on, not in this year, but certainly
when you can really solve the problem of open
source software at scale. Again, we are in a modern
re-platformization era where at scale value
has to be table stakes and that's where the winners and the losers are going to get separated. Of course, theCUBE is bringing
you all the open source media data to you here on the live stream. I'm John Furrier, your host at
theCUBE. Thanks for watching.
