VPBank is one of Vietnam’s most influential financial institutions; a retail banking leader serving more than 30 million customers and operating at a scale few organizations in Southeast Asia can match.

The challenge

At this scale, protecting customers has been a mandate at VPBank since its founding in 1993.

As Tuan-Anh Tran, Director of Tech Platform Center, IT Division, explained, “At VPBank, security has always been the number one priority for the bank. We need to maintain trust with our customers. Our approach to security has always been minimal attack surface.”

An early adopter of Kubernetes, VPBank was the first bank in Vietnam to run Red Hat OpenShift Container Platform back in 2019. But as the organization scaled its cloud-native infrastructure, the operational burden of securing open source software grew quickly. Vulnerability management was fragmented and manual, with each application team responsible for identifying, triaging, and fixing CVEs on their own.

The solution

VPBank needed an approach that would remove vulnerability management from individual application teams, strengthen the bank’s overall security posture, and not create more friction. That search led them to Chainguard. Partnering with Chainguard would reduce VPBank’s attack surface, streamline patching, and enhance security through cryptographically signed images with Software Bill of Materials (SBOMs) and verifiable provenance.

After mirroring Chainguard Containers into its internal registry and adapting workflows to support Chainguard digests, VPBank rolled out developer-focused testing. The metrics spoke loudly enough that adoption became a no-brainer.

The results

Speed without compromising compliance

The impact for VPBank was immediate: dramatically reduced CVE noise, smoother go-lives, and faster time-to-value. What once required urgent, time-consuming remediation cycles became a built-in part of the platform. It was reliable, repeatable, and invisible to most teams.

By shifting vulnerability management to the platform layer, compliance no longer slowed development. Instead of navigating security requirements on every release, developers could rely on a secure-by-default foundation and focus on building features that move the business forward.

This shift removed friction between security, DevOps, and development teams, allowing each group to stay focused on what they do best.

Security that’s invisible, but absolute

For VPBank, compliance isn’t the end goal; trust is. Tuan-Anh explained, “Compliance is one thing, but we want to actually be secure by default instead of just checking compliance boxes. This is how we ensure that every innovation we ship is built on a foundation of integrity.”

Today, Chainguard plays a foundational role in how VPBank thinks about securing containerized workloads and using open source at scale. With simplified audits, fewer vulnerabilities, and a more efficient development pipeline, the bank is better positioned to deliver reliable digital experiences to millions of customers.

As Tuan-Anh describes it, Chainguard provides not only a long-term solution to an evolving container landscape but also renewed confidence in the security and stability of the bank’s technology platform.