The challenge

For Forescout's highly focused DevOps and CloudOps team, CVE remediation was death by a thousand cuts. It was consuming valuable engineering hours better spent on core platform innovation, and the challenge only intensified with the pursuit of FedRAMP High authorization. As Justin Foster, CTO at Forescout, put it: "Federal is a very important sector for Forescout, and with many of our new products being in our Forescout Cloud SaaS, unlocking more top-of-line growth with FedRAMP is essential."

But building and maintaining hardened, FIPS-compliant container images, manually remediating OS-level CVEs, and keeping pace with FedRAMP's vulnerability timelines would have required multiple full-time engineers that Forescout simply didn't have.

The solution

Forescout required a partner with two things: a broad catalog of container images and a track record of keeping them up to date. Chainguard had both — and the team to back it up.

After testing a few images, the team found the migration straightforward, realized the migration wasn't much work, and that building on Chainguard helped apply industry best practices more consistently across the board. The initial proof of concept wrapped in a week, and within a few weeks, Forescout had migrated its entire container fleet to Chainguard.

Today, Chainguard is woven into Forescout’s standard build and deployment workflow: application teams pull Chainguard base images as their foundation, while CloudOps and DevOps own CI/CD integration, image promotion, and vulnerability scanning. Images are validated in the commercial cloud first, then the same hardened artifacts are promoted into the FedRAMP environment.

The results

FedRAMP High authorization in under 12 months

Forescout completed its FedRAMP High ATO, from project kickoff to authorization, in under 12 months. As Brendan Johnson, Director of Architecture at Forescout, explained, without Chainguard “we would have needed to continue building and maintaining our own hardened, FIPS‑compliant container images, manually remediating OS‑level CVEs, and dedicating multiple engineers just to keep pace with FedRAMP vulnerability timelines.”

With that burden lifted, Forescout’s engineering teams could stay focused on shipping product.

Compliance standards drove a scalable delivery model

Adopting Chainguard had an effect the team didn’t fully anticipate: it became the catalyst for standardization across the entire engineering organization: the same base images, Java versions, and runtime environments across every application. That consistency turned FedRAMP from a one-off exception into part of the normal delivery model, without sacrificing velocity or reliability.

It also created a better foundation for ongoing audit work. With hardened, consistent images across commercial and federal environments, audit friction went down. Scaling into regulated federal markets became something engineering could support without stopping to build parallel infrastructure every time.

A new relationship with open source

Before Chainguard, open source artifacts were something Forescout had to harden and defend. Every base image, library, and runtime carried the risk of unmanaged CVEs or non-FIPS cryptography, risks the team had to track and remediate themselves. Now, teams start from a trusted, well-maintained foundation with a defensive posture already in place.

That shift aligns directly with how Forescout is built: defense-in-depth, secure defaults, and continuous risk reduction at every layer. Chainguard reinforces all three before an application is ever deployed.