The challenge

CVE triage is unglamorous work. Before Chainguard, it was also consuming a disproportionate share of Sublime Security's security team. Every new vulnerability report triggered the same questions: Is this reachable in our environment? Is it actually exploitable? The answers required real investigation, and the volume kept growing.

As a security company, Sublime also holds itself to a higher bar internally—the standard they set for their own production environment reflects the same standard they promise their customers. And enterprise customers were pushing hard on vulnerability management, asking to see SBOMs and evidence of active remediation—checking a SOC 2 box was not enough.

Andrew Becherer, CISO at Sublime, explained, "Before Chainguard, we had significant issues with the number of CVEs we had in our production environments. Keeping up with them was very difficult. Not every issue is created equal, so we would frequently have to engage in all sorts of analysis.”

Jonathon Klobucar, Security Engineer at Sublime, ran into the logical end of this problem: to stay on top of vulnerabilities properly, the team would have had to become its own “image bakery,” scanning open source images, tracking down upstream fixes, and sometimes rebuilding packages from source when no fix existed. That’s a full-time operation, and Sublime didn’t have the headcount for it given the size of their team.

The solution

The team looked at building in-house and at other vendors, but neither was the right solution for Sublime.

Other vendors pulled images from upstream without patching them, which didn’t offer much improvement over what the Sublime team could already do. Building internally was something Andrew had previously undertaken at well-resourced organizations, and he knew exactly what it cost in terms of time, effort, and money.

“What we were looking for was something that was going to minimize our attack surface, that was going to reduce the number of issues as low as possible, and that was going to be really easy for our engineering organization to implement,” Andrew explained. “And that's what we found in Chainguard container images.”

Getting Chainguard Containers into production took a matter of weeks. Today, the integration runs through OpenID Connect (OIDC) and GitHub Actions. Sublime engineers pick base images from the catalog without routing through security for approval.

The results

Near-zero CVEs, hours back

Sublime manages weekly triage through rotating "runners" who take new incoming work, assess scope, and score vulnerabilities using internal tooling. Before Chainguard, container image vulnerabilities ate a significant portion of every triage rotation. The work was constant, crowding out everything else.

As Andrew explained, “the most measurable outcome has been a near 100% reduction in base image CVEs for teams that have adopted Chainguard internally.” That translates directly into a dramatic reduction in labor associated with triaging, patching, and rolling out new images.

Jonathon puts the time savings in concrete terms:

"Chainguard has taken a large, onerous task that used to consume most of someone’s triage shift, and eliminated that workload, freeing up at least 50% of their time to spend on higher-value things. It’s been a huge improvement in triaging new work for us.”

Andrew emphasizes that this outcome wouldn't have been possible without a partner like Chainguard.

Security work that matters

The time freed up has gone toward application-layer security work that had been backlogged. With distroless images carrying a smaller software surface, false positives have decreased, and scans generate fewer alerts that turn out to be irrelevant.

"Since implementing Chainguard,” Jonathon explained, “We've seen both a reduction in false positive reports due to our containers now having a much smaller software surface due to the distroless nature."

Less noise, less paperwork

Vulnerability management often pits security and engineering teams against each other. Security surfaces CVEs, and engineering has to fix them while managing everything else on its plate. This back-and-forth often creates noise and friction, but when the issue count drops, the relationship changes.

Andrew explained, “When those issues don't exist in production, we don't have to talk about them. And so, not having to raise those issues with our partners in engineering, it reduces friction, and it really bolsters the messages that we do take to them because we're a lot less noisy.” A team that spends less time reacting to noise carries more credibility when they do need to escalate something, and that credibility compounds over time.

The dynamic shift extends to compliance as well. When a fix doesn't exist upstream, Chainguard writes the exception documentation, a task that previously fell to Jonathon's team. SBOM data and provenance records are also available to compliance teams without them having to request anything from security, which keeps customer-facing audit workflows moving without the usual bottlenecks.

For Andrew, the individual wins add up to something bigger: a security team that punches above its weight because it's no longer buried in work that shouldn't require its attention.