[CONTENT]
$
USD
Total Economic Impact
Cost Savings And Business Benefits Enabled By Chainguard Containers
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY Chainguard, January 2026
Total Economic Impact
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY Chainguard, January 2026
Research estimates that 77% of an enterprise’s codebase now comes directly from open source as opposed to proprietary development.1 As open source software grows in adoption and ubiquity, organizations face new operational challenges and security risks. Organizations are contending with an escalating volume and sophistication of software supply chain attacks, which has increased regulatory pressure to manage this attack surface and mitigate risks. This reality has increased the overhead, complexity, and toil for engineering teams, redirecting resources from building software to patching and maintaining it. In this context, advanced container security platforms help enterprises better manage open source dependencies, surface risks, and maintain more secure software ecosystems.
Chainguard is a software supply chain security company that provides a family of minimal, hardened, and continuously updated software artifacts — including container images — designed to reduce vulnerabilities and simplify maintenance. Chainguard’s secure-by-default artifacts automate image upkeep and vulnerability remediation, reducing the manual patching and compliance overhead associated with frameworks like FedRAMP, PCI DSS, CMMC, and more. These capabilities can help organizations strengthen their software supply chain security while reducing the operational toil that pulls developers away from building software.
Chainguard commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Chainguard Containers.2 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Chainguard Containers on their organizations.
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed eight decision-makers from six organizations with experience using the Chainguard Containers solution. For the purposes of this study, Forrester aggregated the experiences of the interviewees and combined the results into a single composite organization, which is a global software-focused organization with $250 million in annual revenue and 1,000 employees.
Interviewees said that prior to using Chainguard Containers, their organizations relied on fragmented manual vulnerability management processes and ad hoc patching by siloed teams against their container images. Prior attempts to improve these environments yielded limited success, leaving teams with inconsistent security practices, high remediation costs in the form of engineering time, and constant firefighting between security and development teams. These limitations led to mounting technical debt, delayed feature releases, compliance risks, and strained customer relationships due to the inability to meet strict vulnerability and regulatory requirements.
Interviewees said transitioning to Chainguard Containers represented a strategic shift for their organizations and allowed them to move from reactive manual security practices to proactive, automated, and scalable container security. Key results from the investment include reduced vulnerabilities, reduced development and engineering effort, increased speed to delivery, and additional profit.
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
A 90% reduction in development and security engineering effort for vulnerability tracking and remediation. With Chainguard Containers, the composite reduces its manual patching workload due to automation, hardened images, and proactive security practices, which lowers its vulnerability management efforts for base images. Per year, the reduction in development and engineering capacity dedicated to vulnerability management is $350,000. Over three years, the reduction in development and security engineering effort is worth $871,000 to the composite organization.
A 90% reduction in vulnerabilities. The reduction of vulnerabilities in container images and application environments decreases the composite’s likelihood of security incidents, breaches, and exposure to software supply chain threats, resulting in avoided costs related to incident response efforts, regulatory penalties and fines, customer churn, and disruption to business operations. For the composite, this represents $153,000 per year in avoided costs. Over three years, the reduction in vulnerabilities is worth $380,000 to the composite organization.
A 5% increase in new business revenue from customers in highly regulated industries. With Chainguard Containers, the composite organization meets the compliance and security expectations of customers in heavily regulated industries (e.g., finance, healthcare, government). For the composite, serving these customers leads to $240,000 per year in additional revenue. Over three years, this yields a profit impact of $597,000 for the composite organization.
A 50% reduction in off-cycle release work and ad hoc engineering effort. The composite adds automation to its rebuild process as Chainguard Containers provides secure, patched container images. Fixes are backported without introducing new versions. For the composite, the additional developer capacity to ship new products, platforms, and features generates $260,000 per year. Over three years, reduced rebuild time and increased speed to delivery is worth $670,000 to the organization.
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
Improved collaboration between security and developer operations. By providing a centralized and automated approach, Chainguard’s container solution helps reduce friction between security and developer teams for the composite organization and supports closer collaboration on shared goals such as feature releases and strategic initiatives.
Improved employee satisfaction and developer experience. With fewer vulnerabilities to address and less remediation work, engineers at the composite organization report reduced frustration and an improved ability to focus on higher-value work.
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
Chainguard subscription. After a proof of concept and pilot phase, the composite begins using Chainguard images. Each year, the cost of a Chainguard subscription — including the product subscription, customer success support, and professional services — is $220,000 per year for the composite organization. Over three years, the composite incurs $619,000 in Chainguard subscription costs.
Implementation and ongoing management. The composite organization dedicates two weeks (80 hours) of migration effort per base image to move from existing images, along with 80 engineering hours annually for ongoing management. Over three years, the composite organization invests $128,000 in implementation and ongoing management.
Change management and training. The composite dedicates one hour per engineer to training related to Chainguard Containers and provides engineers with documentation and recordings. Over three years, training and change management costs total $9,000 for the composite organization.
The financial analysis that is based on the interviews found that a composite organization experiences benefits of $2.5 million over three years versus costs of $756,000, adding up to a net present value (NPV) of $1.8 million and an ROI of 233%.
Return on investment (ROI)
Benefits PV
Net present value (NPV)
Payback
| Role | Industry | Employees | Revenue |
|---|---|---|---|
| Engineering manager | Software | 550 | $60M |
| Senior software engineer | Manufacturing | 4,000 | $2B |
| Chief architect, enterprise Application security product lead |
Software | 67,000 | $20B |
| Senior director of product security | Energy | 75,000 | $35B |
| Senior manager of developer platform | Transportation | 130,000 | $54B |
| Vice president of application hosting and automation Vice president of cloud platform engineering |
Healthcare | 310,000 | $253B |
Interviewees said that before using Chainguard Containers, their organizations faced mounting pressure to secure their software supply chains, but legacy approaches were fragmented and labor-intensive. Interviewees described manual scanning and a lack of centralization that created team-by-team responsibility, no automation, and high labor costs that inhibited remediation and left gaping compliance gaps. The lack of centralized container security further meant that vulnerability management was inconsistent and a drain on engineering resources while regulatory demands and customer expectations for demonstrable security practices compounded these difficulties.
Interviewees noted how their organizations struggled with common challenges, including:
Manual, fragmented vulnerability management. Some of the interviewees said that before using Chainguard Containers, their organization did not have sufficient resources to remediate all vulnerabilities. Those organizations that did have some capacity were only able to address small percentage of vulnerabilities outstanding in their environments given the time required for remediation, so they relied on ad hoc manual processes to analyze, triage, and remediate vulnerabilities in container images. But this created inefficiencies, duplicated effort, and persistent risk as teams struggled to keep pace with the volume and complexity of vulnerabilities.
The application security product lead in the software industry said: “Before Chainguard Containers, we didn’t have much of our security processes in place. It was not done at scale.” Interviewees explained that their organizations used public open-source container images with little governance or lifecycle management and said these containers were often neglected and only addressed reactively — typically after a major incident or customer pressure.
A growing number of vulnerabilities with existing resources. Interviewees said that before using Chainguard Containers, development teams at their organizations viewed security as a burden; there was little motivation to address vulnerabilities because efforts rarely made a dent in the number of vulnerabilities and amount of corresponding risk. The senior director of product security in the energy sector said: “I saw some product teams were not addressing alerts from security because the value was not there. I work on these issues, but I still have some issues left. So then what’s the point of me working on these issues? With Chainguard Containers, the motivation was much higher to do it correctly, so that caused the big ripple effect on us.”
Friction between security and developer teams. Interviewees said that before using Chainguard Containers, there was palpable friction between security and application teams regarding vulnerability management. When application teams spent time addressing vulnerabilities, there uncertainty remained about which vulnerabilities should be remediated or who was responsible for remediation. Security and DevOps teams operated in silos, and each had separate responsibilities and often conflicting priorities. Security was often seen as a blocker or an afterthought, with developers frustrated by the lack of effective tools and security teams frustrated by lack of adoption.
High cost and effort of remediation. The manual nature of vulnerability management translated directly into high labor costs and operational inefficiency. Security and engineering teams spent time on tasks that could otherwise be automated, and the financial impact ran into millions of dollars annually. The senior director of product security in the energy sector estimated their organization’s annual internal cost to manage container vulnerabilities without Chainguard would be $2.4 million. They also said tackling all vulnerabilities was difficult due to the number of containers, the average number of vulnerabilities per container at a time, the estimated time to remediate each vulnerability, the cost of labor for remediation, and the fact that this effort would be ongoing as new vulnerabilities are discovered.
The senior software engineer in the manufacturing sector said their organization had projects on both Chainguard Containers and in the legacy environment and compared the differences: “Engineers have spent the last several months doing [almost] nothing but vulnerability remediation on the projects that didn’t use Chainguard Containers. It’s quite the [time] investment they wouldn’t have [needed to make] if these projects were running on Chainguard images.”
Compliance and customer pressure. Interviewees in highly regulated industries said that to satisfy customers’ security requirements, their organizations were increasingly compelled to meet strict regulatory standards like Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry Data Security Standard (PCI DSS), Cybersecurity Maturity Model Certification (CMMC), and HIPAA. Audits and RFPs often exposed gaps in existing processes, which made it clear that legacy approaches were insufficient for modern risk environments and for addressing customer concerns.
The senior software engineer in the manufacturing industry said: “We were tasked with building a federally compliant implementation of our platform, and with that comes a lot of the complexities and strict requirements around FedRAMP. Images off the general internet when scanned are going to yield hundreds — if not thousands — of vulnerabilities.” The engineering manager in the software industry said, “We had a customer that had a very strict vulnerability policy, and when we were evaluating both an alternative third-party solution and Chainguard Containers, the reality was that the alternate solution was not able to reduce the amount of vulnerabilities as much as Chainguard.”
The application security product lead in the software industry described an organizationwide effort to comply with customer expectations. The interviewee noted: “We were audited by a third-party vendor. So, it was part of an audit initiative that security needs to be a highlight for the company. That’s how [our use of Chainguard] came about.”
Avoided Internal Effort Costs
Interviewees said that without Chainguard Containers, building an internal solution or process for hardened container images and vulnerability management would have required a substantial and often prohibitive investment in labor. The senior director of product security in the energy sector said they calculated what this would cost their organization without Chainguard Containers: “The end number was about $2.4 million, and that’s just for one year. This requires continuous management. … Initially we were doing like five to six images. There is no way we could [create] a team to build and support 160 images. There is no way it would possible.”
The engineering manager in the software industry said that building an internal solution for hardened container images and vulnerability management would very difficult and costly: “It [would be] somewhere between not possible and more [expensive] than I would be able to calculate. Chainguard is literally building these images from their own base OS. We’d have to essentially rebuild what Chainguard did to really meet the CVE (common vulnerabilities and exposures) like posture that we needed to meet. We’d have probably needed to hire a team of at least five full-time engineers just to maintain that.”
Several interviewees echoed that building internally would either be infeasible or require a specialized team the company would not be able to justify, and some concluded the initiative would require significant investments in both infrastructure and ongoing maintenance. The senior director of product security in the energy sector said: “I think the biggest thing to weigh when considering Chainguard Containers is the cost of trying to do it yourself, including recreating the peace of mind Chainguard gives you. The number one volumetric vulnerability to a software product is its open-source software, and 100% of containers are open-source software. So, on a monthly basis, if you were to look at your vulnerabilities by count, attribute to the percentage those from your containers, and then estimate the cost, it would be very expensive. But if a company is going to solve the problem, it’s going to cost more to do in-house unless it’s a small company. So, at scale, it’s much cheaper to have Chainguard accountable for it.”
The chief architect of enterprise in the software industry said: “If we were doing it ourselves at the scale the company is playing at now, it would have [required] about three to four FTEs. Before Chainguard Containers, we were maintaining it with one FTE, but the number [of vulnerabilities] never went to zero. To reduce that [number] to zero would [require] around two to three FTEs who have to be maintained. That’s not our value proposition. We provide solutions for human resource management, not container security. We don’t want to be in that space, and it’s not worth pulling governance together with a team of five in-house.”
Interviewees estimated that building internally would require teams ranging from three to 20 FTEs for months at a time and millions of dollars in annual labor and technology costs. The opportunity costs — including lost contracts, risk avoidance, and the inability to meet customer or regulatory requirements — would also be significant and, in some cases, they would dwarf the direct costs of building.
Interviewees said their organizations were looking for a solution that is technically robust and operationally efficient, and they said Chainguard’s hardened images, automation, and support model offer a step-change improvement over their legacy practices and competing products. They explained that the following factors led to the investment.
Validated security approach. Each interviewee emphasized the importance of validating that Chainguard could meet their security and operational requirements before full adoption. To ensure the solution aligned with their expectations, the organizations conducted either a proof of concept or a monthlong pilot. The application security product lead in the software industry said, “It was a complete open discussion as we rolled it out to our developer community.” Interviewees said the pilots helped them understand how the solution fits within their existing workflows, confirm its approach to vulnerability management, and assess vendor responsiveness and support before committing to broader use.
Ease of adoption and automation. Interviewees said that ease of integration and automation were important considerations when selecting a solution. Their organizations were looking for a tool their teams could adopt without major workflow disruption and with clear guidance to support onboarding. The engineering manager in the software industry said: “The documentation was clear to the point where execution would be very easy. ... We [realized we would be] able to set up a process very quickly within a couple hours so that our developers could leverage images immediately.” The application security product lead in the software industry similarly emphasized the importance of straightforward adoption and ongoing maintenance, noting their preference for a solution with automated update processes.
Credibility, support, and scalability. Interviewees said vendor credibility, responsive support, and the ability to operate at enterprise scale were important factors in their organizations’ selection processes. Several highlighted the value of working with a provider recognized in the market and trusted in regulated industries or public sector environments. The senior director of product security in the energy sector remarked, “Chainguard for me was the just obvious choice because they created this category.” The vice president of cloud platform engineering in the healthcare added that Chainguard’s maturity and certifications aligned with their organization’s requirements: “They had a lot of images, which we wanted, and then they’re also one of the [providers certified by the Department of Defense]. We operate in the public sector, so that was one of the very attractive reasons we went with Chainguard.”
The interviewees’ organizations searched for a solution that could:
Reduce risk exposure and allow them to meet compliance requirements.
Automate vulnerability management to streamline labor efficiencies.
Allow engineering resources to focus on higher-value work (e.g., feature development, innovation).
Create business growth by fortifying customer trust.
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:
Description of composite. The globally software-focused organization generates $250 million in annual revenue and has 1,000 employees and 100 engineers across its DevOps, SecOps, and development teams.
Deployment characteristics. During a monthlong pilot phase, the composite organization begins to use Chainguard’s images, starting with a handful of images during the initial phase. It adds all projects to Chainguard Containers by Year 1.
$250 million revenue
Global operations
1,000 employees
100 engineers across DevOps, SecOps, and development
| Ref. | Benefit | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|
| Atr | Reduced development and security engineering effort | $350,064 | $350,064 | $350,064 | $1,050,192 | $870,557 |
| Btr | Reduced vulnerabilities | $152,757 | $152,757 | $152,757 | $458,271 | $379,884 |
| Ctr | Contracts enabled through improved compliance | $240,000 | $240,000 | $240,000 | $720,000 | $596,844 |
| Dtr | Developer time savings due to faster builds | $269,280 | $269,280 | $269,280 | $807,840 | $669,660 |
| Total benefits (risk-adjusted) | $1,012,101 | $1,012,101 | $1,012,101 | $3,036,303 | $2,516,945 |
Evidence and data. Interviewees said that before using Chainguard Containers, their organizations had little to no capacity to remediate tracked vulnerabilities, and some noted their company didn’t have a standard process for remediation at all. Teams that dedicated a small portion of their time to remediation did so based on prioritization, preferring to focus on more strategic work. The director of product security in the energy sector said, “Before Chainguard Containers, we just had bad governance when it came to container security. Occasionally, if a really serious vulnerability was tracked, we would shift some focus on it, but otherwise there was just not good container lifecycle management.” They said team members who dedicated even 10% of their time to remediation described the effort as a strain on resources.
Interviewees explained that when time constraints prevent a full rebuild, patching may be used as a stopgap and said that enterprises can lend resources to remediation if necessary. But they noted smaller teams or organizations may lack the capacity to rebuild and instead use patching as a temporary solution. Interviewees said that with Chainguard’s automation and hardened images, their organizations reduced development and security engineering effort and shifted from manual, reactive remediation to proactive, scalable security practices.
The vice president of platform engineering in healthcare noted that development teams were heavily burdened by vulnerability tracking and remediation. They said “maybe 10%” of the development efforts were going into addressing vulnerability remediation, but that the effort required for vulnerability management dropped to zero — especially for base images — with Chainguard Containers: “Now we pretty much don’t spend any time at all [on base image vulnerabilities]. The time we continue to spend is on the application teams putting their own open-source application components that we still need to continue to support on top of those base images.”
The engineering manager in the software industry reported that their organization’s DevOps and developer teams previously spent manual effort on vulnerability remediation — especially for public sector releases. They estimated that for each release, about three engineering days were spent on vulnerability remediation for third-party open-source applications and developer teams spent about 10 engineer-days fixing vulnerabilities in internal applications deployed via base images. The engineering manager said that Chainguard Containers helped reduce this effort to about 1 to 2 hours per release for DevOps teams using third-party open source apps and to about two days for developer teams deploying services on base images.
The application security product lead in the software industry noted that after their organization’s Chainguard deployment, teams reduced vulnerabilities to zero with “just two lines of code and regression testing.”
Interviewees said the combination of Chainguard’s hardened and continuously patched base images, automated updates, and vendor-managed vulnerability remediation eliminated the need for manual patching, allowing teams to shift focus from ongoing security maintenance to higher-value tasks.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Before using Chainguard Containers, 100 engineers spent 5% of their time on vulnerability tracking and remediation.
With Chainguard Containers, the engineers reduce tracking and remediation time by 90%.
The average hourly burdened rate for a highly technical senior engineer is $88.
Risks. The impact of this benefit will vary among organizations based on the following factors:
The total open-source application security effort required in the prior environment.
The percentage of projects that use Chainguard Containers and the scale of the deployment.
The size and scope of applications and dedicated developer, DevOps, and security teams.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $871,000.
Reduction in engineering time required for vulnerability tracking and remediation
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| A1 | Total DevOps, developers, and security engineers | Composite | 100 | 100 | 100 | |
| A2 | Percentage of engineering time spent on vulnerability tracking and remediation before Chainguard Containers | Interviews | 5% | 5% | 5% | |
| A3 | Total time dedicated to vulnerability and remediation tracking in the prior environment (hours) | A1*A2*2,080 | 10,400 | 10,400 | 10,400 | |
| A4 | Percentage reduction of time dedicated to vulnerability and remediation tracking with Chainguard Containers | Interviews | 90% | 90% | 90% | |
| A5 | Average fully burdened hourly salary for an engineer | Composite | $88 | $88 | $88 | |
| A6 | Productivity recapture rate | TEI methodology | 50% | 50% | 50% | |
| At | Reduced development and security engineering effort | A3*A4*A5*A6 | $411,840 | $411,840 | $411,840 | |
| Risk adjustment | ↓15% | |||||
| Atr | Reduced development and security engineering effort (risk-adjusted) | $350,064 | $350,064 | $350,064 | ||
| Three-year total: $1,050,192 | Three-year present value: $870,557 | |||||
Evidence and data. Each interviewee described a notable decrease in the number of vulnerabilities present in container images and application environments with Chainguard Containers. Those from organizations that previously struggled with hundreds or thousands of vulnerabilities said Chainguard’s hardened, continuously updated images enabled their companies to reduce the number of vulnerabilities by between 70% and 90%. Some noted the number reduced to nearly zero.
The senior director of product security in the energy sector said their organization decreased its number of vulnerabilities from 30,000 to effectively zero and noted that this exceeded results from the initial proof of value phase. The vice president of cloud platform engineering in healthcare echoed this, stating, “Overall, we were able to reduce about 70% to 80% of vulnerabilities across the enterprise.”
The senior manager of developer platform in the transportation industry said: “Chainguard Containers remediated upwards to 80% to 90% of teams’ vulnerabilities in the base layer. The practical effect was a reduction from upwards of 700 vulnerabilities per team to single digits after adopting Chainguard images.”
The engineering manager in the software industry reported, “Our vulnerability count dropped from roughly 500 to 1000 vulnerabilities down to around 50 after integrating Chainguard Containers, even without the most recent codebase updates.”
The application security product lead in the software industry said Chainguard Containers eliminated 80% of severe issues, and they estimated a reduction of 350,000 issues in the past year.
Several interviewees explicitly linked the reduction in vulnerabilities to a lower likelihood of security incidents or breaches. The senior director of product security in the energy sector stated: “We had previously unsurmountable risk in our containers that was completely outside of our jurisdiction. We couldn’t get on top of it, and now we just don’t have that. Chainguard Containers reduced it by 80% for both exposure to software supply chain vulnerabilities and breach likelihood.”
The vice president of cloud platform engineering in healthcare noted, “Chainguard Containers reduced the risk for our applications — including the risk of data loss and zero-day [attacks] — because we never know who is out there.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization’s total risk exposure is $1,678,000.3
For the composite, 17% of breaches are due to external attacks from software vulnerability exploit, software supply chain breach, or web application exploit.4
Seventy percent of the composite’s application code is open source.5
Chainguard Containers reduce the composite organization’s vulnerabilities by 90%.
Risks. The impact of this benefit will vary among organizations based on the following factors:
The organization’s size, industry, and operations.
The percentage of the organization’s open-source application code and container use.
The scale of the organization’s Chainguard container deployment.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $380,000.
Reduction in vulnerabilities
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| B1 | Total risk exposure | Forrester research | $1,678,000 | $1,678,000 | $1,678,000 | |
| B2 | Percentage of breaches due to external attacks from software vulnerability exploit, software supply chain breach, or web application exploit | Forrester research | 17% | 17% | 17% | |
| B3 | Percentage of application code that is open source | Research data | 70% | 70% | 70% | |
| B4 | Risk exposure addressable with Chainguard Containers | B1*B2*B3 | $199,682 | $199,682 | $199,682 | |
| B5 | Reduction in vulnerabilities with Chainguard containters | Interviews | 90% | 90% | 90% | |
| Bt | Reduced vulnerabilities | B4*B5 | $179,714 | $179,714 | $179,714 | |
| Risk adjustment | ↓15% | |||||
| Btr | Reduced vulnerabilities (risk-adjusted) | $152,757 | $152,757 | $152,757 | ||
| Three-year total: $458,271 | Three-year present value: $379,884 | |||||
Evidence and data. Interviewees from organizations serving highly regulated or competitive industries in which security and compliance are non-negotiable for clients said the shift to Chainguard Containers was especially crucial. The senior software engineer in manufacturing explained: “We were tasked with building a federally compliant implementation of our platform, and with that comes a lot of the complexities and strict requirements around FedRAMP. Images off the general internet when scanned will yield hundreds if not thousands of vulnerabilities.” The senior manager of developer platform in the transportation industry said their organization needs to comply with PCI DSS, and the engineering manager in the software industry referenced Risk Management Framework (RMF) and Authorization to Operate (ATO) as requirements for deploying in military and public sector environments.
The senior software engineer in manufacturing noted that due to compliance requirements, securing federal contracts would not have been possible without Chainguard Containers and said it possible for their organization to obtain one federal contract worth $20 million.
The senior director of product security in the energy sector explained that Chainguard Containers enabled their company to meet customer requirements that would have otherwise blocked product launches or delayed contracts: “We had a customer that would not put our software into production until we addressed these issues. They had a deadline and they discovered all the vulnerabilities that they could not allow. By implementing Chainguard Containers, were able to address all of the vulnerabilities in one fell swoop. The cost of that delayed contract with concessions we would have had to make would probably have been $5 million for just this one customer. So, without Chainguard Containers, even just one customer engagement would have had a tangible loss of concessions in one contract.”
The same interviewee mentioned a different contract that was in danger of termination unless vulnerabilities could be addressed. They said: “The customer was just at the end of their rope with us trying to burn down the vulnerabilities. It came to the point that we signed with Chainguard and named it in our solution process. So we actually named the vendor as the value proposition in our ability to meet the demands of the customer.”
The engineering manager in the software industry described winning a $2 million per year contract with the potential to expand to $20 million per year because Chainguard container enabled their organization to meet a customer’s strict vulnerability requirements. The interviewee estimated that 30% to 40% of the organization’s revenue currently depends on meeting vulnerability-related requirements that Chainguard enables, and they noted this share could grow to as much as 70% to 80% as more customers adopt stricter security standards.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite’s annual revenue $250 million.
Twenty percent of the composite’s annual revenue is from new business.
Due to industry compliance regulations, 5% of the composite’s new business or expanding business is at risk without Chainguard.
The composite’s operating profit margin is 12%.
Risks. The impact of this benefit will vary among organizations based on the following factors:
The organization’s revenue and its percentage of retained versus new business.
The percentage of the organization’s revenue streams from highly regulated industries and the potential to expand in these sectors.
The organization’s industry.
The organization’s profit margin.
Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $597,000.
Annual revenue won from contracts with customers in highly regulated industries
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| C1 | Revenue | Composite | $250,000,000 | $250,000,000 | $250,000,000 | |
| C2 | Percentage of revenue from new business | Composite | 20% | 20% | 20% | |
| C3 | Percentage of new business from contracts at risk without Chainguard | Interviews | 5% | 5% | 5% | |
| C4 | Revenue won due to Chainguard from contracts with customers in highly regulated industries | C1*C2*C3 | $2,500,000 | $2,500,000 | $2,500,000 | |
| C5 | Operating profit margin | Composite | 12% | 12% | 12% | |
| Ct | Contracts enabled through improved compliance | C4*C5 | $300,000 | $300,000 | $300,000 | |
| Risk adjustment | ↓20% | |||||
| Ctr | Contracts enabled through improved compliance (risk-adjusted) | $240,000 | $240,000 | $240,000 | ||
| Three-year total: $720,000 | Three-year present value: $596,844 | |||||
Evidence and data. Several interviewees explained that Chainguard’s hardened, continuously updated images allows their organizations to rebuild and redeploy applications much more quickly than they previously could. This was especially important for organizations with strict compliance requirements or frequent vulnerability discoveries because rebuilds can be delayed by manual remediation.
The senior director of product security in the energy sector said that before using Chainguard Containers, off-cycle releases to address vulnerabilities were extremely costly and disruptive and often doubled engineering effort. But they explained that with Chainguard Containers, it’s easy to replace vulnerable containers, eliminating the need for emergency releases and freeing up resources for planned work: “Within six weeks, we were able to completely take all of the open-source containers and rotate in all of the Chainguard images. So the solution allowed us to basically replace vulnerable containers with Chainguard images without any introduction to changes that would break anything.” The interviewee said having the ability to avoid or reduce the time needed for off-cycle releases and to focus on planned work meant that teams could deliver more features on schedule — and with less disruption: “Now we can include more features that we’ve promised on the roadmap in those same monthly releases since we’re not having to spend so much time burning down the technical debt vulnerabilities.”
The senior manager of developer platform in the transportation industry noted that before using Chainguard Containers, one FTE spent anywhere from 2 to 4 hours per week rebuilding due to vulnerabilities. The interviewee noted this was a recurring, ongoing requirement across the organization. “[With Chainguard,] most teams have reported being able to work on other areas to make sure their software delivery is efficient. So, they take that saved time and reallocate it into speed to delivery.”
Interviewees said with Chainguard Containers, their organizations use smaller, minimal container images, which reduce build, scan, and deployment time. Smoother integration and documentation reduced friction in updating pipelines, and automated dependency management reduced manual troubleshooting and testing. The senior manager of developer platform in the transportation industry reported that due to this, builds became faster and more reliable: “Some teams had reported Chainguard trimming a 20-minute build to 2 to 3 minutes.” Interviewees also explained that using smaller, more secure images also translates to less time spent on troubleshooting and more time spent on delivery. The senior manager of developer platform said, “From an enterprise standpoint, our delivery speed is 14% faster this year compared to last year, and we have 9% more releases.”
The platform engineering manager in healthcare reported a 5% to 10% increase in project throughput because time previously spent on security remediation was redirected to delivering business value.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization releases biweekly across five applications.
Previously, 15% of the releases were delayed due to rebuilding, approval friction, or vulnerabilities on an ad hoc basis.
The composite spends about 720 developer hours annually on off-cycle releases.
Chainguard Containers reduces the number of hours required for this by 50%.
Risks. The impact of this benefit will vary among organizations based on the following factors:
The number and cadence of on- and off-cycle releases in the organization’s prior environment.
The amount of time developers spent on off-cycle releases in the prior environment.
The size of the organization’s development team.
The organization’s roadmap and strategy for innovation and feature development
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $670,000.
Time reduction for off-cycle releases
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| D1 | Apps | Composite | 5 | 5 | 5 | |
| D2 | Releases per app | Composite | 26 | 26 | 26 | |
| D3 | Percentage of off-cycle releases delayed due to rebuilding, approval friction, or vulnerabilities | Interviews | 15% | 15% | 15% | |
| D4 | Off-cycle releases delayed due to need to rebuild (rounded) | D1*D2*D3 | 20 | 20 | 20 | |
| D5 | Developer time previously expended on off-cycle releases (hours) | Interviews | 720 | 720 | 720 | |
| D6 | Time reduction for off-cycle releases due to Chainguard Containers | Interviews | 50% | 50% | 50% | |
| D7 | Time saved due to Chainguard Containers (hours) | D4*D5*D6 | 7,200 | 7,200 | 7,200 | |
| D8 | Productivity recapture | TEI methodology | 50% | 50% | 50% | |
| Dt | Developer time savings due to faster builds | D7*D8*A5 | $316,800 | $316,800 | $252,000 | |
| Risk adjustment | ↓15% | |||||
| Dtr | Developer time savings due to faster builds (risk-adjusted) | $269,280 | $269,280 | $269,280 | ||
| Three-year total: $807,840 | Three-year present value: $669,660 | |||||
Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:
Improved collaboration between security and developer operations. Several interviewees described friction or tension between SecOps and DevOps prior to adopting Chainguard Containers and explained how the solution helped alleviate these issues. They said Chainguard Containers provided a centralized, automated solution that made it easier for both security and development teams to achieve their goals and that developers became more motivated because they could see immediate results while security teams no longer had to market security or enforce compliance through friction.
Interviewees explained that rolling out Chainguard images with partnership from security teams strengthened trust and created a shared understanding of responsibilities. Security teams became partners in the process, and both groups noted that using Chainguard images reduced friction by eliminating recurring debates about image quality and vulnerability expectations. The vice president of cloud platform engineering in manufacturing said: “[The] security operations [team members] are partners in this, so they know that if you’re using an image from Chainguard that is the best image we could get out of the market.”
Overall, interviewees said Chainguard’s ease of adoption and automation helped change the relationship between the two teams from adversarial to collaborative, with the security team becoming an enabler rather than an obstacle.
Improved employee satisfaction and developer experience. Interviewees remarked that with Chainguard’s solution, teams indicated higher job satisfaction and relief. The engineering manager in the software industry said: “I’ve heard fewer complaints as we’ve seen fewer vulnerabilities. No one wants to work on vulnerabilities.” The senior manager of developer platform in the transportation industry echoed this sentiment: “When we actually show teams Chainguard, they are a lot happier with the process [because they don’t] have to deal with all the remediations.”
The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement Chainguard Containers and later realize additional uses and business opportunities, including:
Future innovations and business growth. Interviewees said Chainguard enabled their organizations to release new features that would have otherwise remained stalled or unreleased and to pursue business opportunities that were previously out of reach due to security bottlenecks. They explained that the automation and reliability Chainguard provided freed up engineering capacity for potential innovation and could unlock new markets in the future. The engineering manager in the software industry noted, “Consistently we’ve been able to estimate five days fewer of infrastructure DevOps time per release, and so that time has been allocated to feature platform enhancements.”
| Ref. | Cost | Initial | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|---|
| Etr | Chainguard subscription | $71,500 | $220,000 | $220,000 | $220,000 | $731,500 | $618,607 |
| Ftr | Implementation and ongoing management | $38,720 | $85,184 | $7,744 | $7,744 | $139,392 | $128,378 |
| Gtr | Change management and training | $2,024 | $8,096 | $0 | $0 | $10,120 | $9,384 |
| Total costs (risk-adjusted) | $112,244 | $313,280 | $227,744 | $227,744 | $881,012 | $756,369 |
Evidence and data. Interviewees said their organizations’ subscription costs for Chainguard Containers are based on one of two different models: per image or per developer. They also noted their subscriptions often include support and professional services. Pricing may vary. Contact Chainguard for additional details.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite pays subscription costs of $65,000 during the initial period.
The composite pays $200,000 in annual subscription costs in Years 1 to 3.
Risks. The impact of this cost will vary among organizations based on the organization’s number of images or developers, based on which pricing model is used.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $619,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| E1 | Chainguard subscription | Composite | $65,000 | $200,000 | $200,000 | $200,000 |
| Et | Chainguard subscription | E1 | $65,000 | $200,000 | $200,000 | $200,000 |
| Risk adjustment | ↑10% | |||||
| Etr | Chainguard subscription (risk-adjusted) | $71,500 | $220,000 | $220,000 | $220,000 | |
| Three-year total: $731,500 | Three-year present value: $618,607 | |||||
Evidence and data. Interviewees said implementation typically involved a short pilot or proof-of-concept phase in which teams integrated Chainguard images into the organization’s CI/CD pipeline or container registry. The time needed to migrate images varied widely depending on the number of images and the complexity of the services.
The engineering manager in the software industry reported that their organization’s initial adoption took one to two days and was handled by a single person. The vice president of application hosting and automation and the vice president of cloud platform engineering at the healthcare organization said 10 FTEs were involved in their company’s two-week rollout. The senior manager of developer platform in transportation noted that after a four-week pilot period, their organization used three FTEs to roll out the solution over eight four-day weeks. And the application security product lead in software described a pilot period that took several weeks and involved large teams with weekly syncs to address technical questions.
Interviewees described ongoing management as minimal and highly automated. Most reported that after the initial setup, maintenance requires a fraction of one FTE’s time — often a few minutes per day — or a small portion of one engineer’s workload to ensure images are up to date and to communicate changes to teams. The bulk of the work involves monitoring for updates, ensuring compliance, and occasionally answering developer questions, with most vulnerability remediation and image updates automatically handled by the Chainguard platform.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite requires 400 hours to migrate some base images onto Chainguard Containers in the initial period and then 800 hours to migrate the rest in Year 1.
In Years 1 to 3, the composite dedicates 80 hours annually to ongoing management.
Risks. The impact of this cost will vary among organizations based on the size and scope of the organization’s application projects and the developer teams that use Chainguard Containers.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $128,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| F1 | Fully burdened hourly rate for an engineer | Composite | $88 | $88 | $88 | $88 |
| F2 | Migration time for images (hours) | Interviews | 400 | 800 | 0 | 0 |
| F3 | Subtotal: Implementation costs | F1*F2 | $35,200 | $70,400 | $0 | $0 |
| F4 | Engineering time needed for ongoing management (hours) | Interviews | 0 | 80 | 80 | 80 |
| F5 | Subtotal: Cost of ongoing management | F1*F4 | $0 | $7,040 | $7,040 | $7,040 |
| Ft | Implementation and ongoing management | F3+F5 | $35,200 | $77,440 | $7,040 | $7,040 |
| Risk adjustment | ↑10% | |||||
| Ftr | Implementation and ongoing management (risk-adjusted) | $38,720 | $85,184 | $7,744 | $7,744 | |
| Three-year total: $139,392 | Three-year present value: $128,378 | |||||
Evidence and data. Interviewees said training and change management for Chainguard Containers requires a few hours of engineering time for onboarding and adoption.
The engineering manager in the software industry reported their organization didn’t need any formal training sessions and instead created a brief internal documentation page that engineers were able to use while adopting Chainguard images.
The senior director of product security in the energy sector said their organization’s onboarding training consists of some hourlong sessions and that they don’t anticipate a need for ongoing training.
The senior manager of developer platform in transportation noted their organization initially conducted one to two trainings per month over three or four months initially. These were primarily education sessions to help teams onboard and understand the benefits and usage of Chainguard images.
The application security product lead in software said their organization held a panel discussion and some training sessions, and that each was recorded and shared for asynchronous access.
The vice president of cloud platform engineering in healthcare noted that Chainguard handled most of the training effort through workshops and outreach, which required little time from internal staff.
Modeling and assumptions. Based on the interviews, Forrester assumes the composite organization onboards 20 engineers during the initial period and 80 in Year 1.
Risks. The impact of this cost will vary among organizations based on the following factors:
The number of FTEs the organization trains.
The depth and cadence of the training provided.
Results. To account for these risks, Forrester adjusted this cost upward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $9,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| G1 | Engineers onboarded | Composite | 20 | 80 | 0 | 0 |
| G2 | Onboarding time (hours) | Interviews | 1 | 1 | 0 | 0 |
| Gt | Change management and training | F1*G1*G2 | $1,760 | $7,040 | $0 | $0 |
| Risk adjustment | ↑15% | |||||
| Gtr | Change management and training (risk-adjusted) | $2,024 | $8,096 | $0 | $0 | |
| Three-year total: $10,120 | Three-year present value: $9,384 | |||||
| Initial | Year 1 | Year 2 | Year 3 | Total | Present Value | |
|---|---|---|---|---|---|---|
| Total costs | ($112,244) | ($313,280) | ($227,744) | ($227,744) | ($881,012) | ($756,369) |
| Total benefits | $0 | $1,012,101 | $1,012,101 | $1,012,101 | $3,036,303 | $2,516,945 |
| Net benefits | ($112,244) | $698,821 | $784,357 | $784,357 | $2,155,291 | $1,760,576 |
| ROI | 233% | |||||
| Payback | <6 months |
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in Chainguard Containers.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Chainguard Containers can have on an organization.
Interviewed Chainguard stakeholders and Forrester analysts to gather data relative to Chainguard Containers.
Interviewed eight decision-makers from six organizations using Chainguard Containers to obtain data about costs, benefits, and risks.
Designed a composite organization based on characteristics of the interviewees’ organizations.
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.
Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total NPV of cash flows.
The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
1 Source: 2025 Open Source Security and Risk Analysis Report, Synopsys.
2 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
3 Source: Forrester’s Security Survey, 2024.
4 Ibid.
5 Source: 2025 Open Source Security and Risk Analysis Report, Synopsys.
Readers should be aware of the following:
This study is commissioned by Chainguard and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Chainguard Containers.
Chainguard reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Chainguard provided the customer names for the interviews but did not participate in the interviews.
Anahita Sultana
January 2026
ABOUT FORRESTER CONSULTING
Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.
https://mainstayadvisor.com/go/mainstay/gdpr/policy.html
PDF