Founded in 2022, HiddenLayer delivers security for AI. And with a mission like that, there’s zero margin for error when it comes to the security of their own software.

“Because we’re a security company and face such high scrutiny for what we deliver, having clean images is table stakes,” said Caleb Chenoweth, Principal Software Engineer at HiddenLayer.

The challenge

Before adopting Chainguard, vulnerability management was a constant source of disruption. The company’s vulnerability scans surfaced a steady stream of Common Vulnerabilities and Exposures (CVEs), resulting in an endless flow of Jira tickets.

The operational impact added up quickly and drained engineering morale. A project manager spent roughly half a day each week managing vulnerability-related work, while engineering managers lost 30–60 minutes per day just triaging tickets. Individual product engineers were often spending multiple hours a day researching, validating, and patching issues that had little to do with the application code they owned.

Caleb explained, “It was death by a thousand cuts. Even when an issue wasn’t a massive time sink on its own, the constant context switching created more burden than the fix itself, and engineers ended up spending more time patching than shipping the product they were hired to build.”

At the same time, HiddenLayer was navigating strict security and compliance requirements, including SOC 2, multiple NIST standards, and government-specific requirements like FIPS-validated container images, which gated contract revenue. Meeting those expectations left little room for noisy scans, surprise findings, or inconsistent base-image choices across teams, raising the stakes for getting container security right.

The solution

After adopting a Static Application Security Testing (SAST) tool for vulnerability detection and compliance visibility, the HiddenLayer team made their next move: purchasing Chainguard Containers to reduce vulnerability noise at the source through a secure-by-default foundation. They started by standardizing on Chainguard’s hardened base images for their Go and Python services, including a minimal runtime image for Go binaries, so engineers could stay focused on building product instead of patching underlying OS-level issues.

With the right infrastructure already in place, implementation was straightforward. For most teams, adoption came down to swapping base images and making minor updates to their build process. As Caleb said, “The ability to plug into the Chainguard registry through our tools made onboarding really simple.”

As HiddenLayer’s requirements expanded, particularly to support their self-hosted offering, they expanded their usage to Chainguard’s catalog licensing model. That shift gave them access to a broader set of Chainguard-maintained container images and Helm charts for the additional components required in their environment. Instead of rebuilding and hardening third-party dependencies internally or adding another vendor, they could standardize on Chainguard’s catalog, saving what they estimated would have been about three months of migration and hardening work.

Mark Culley, Director of Developer Experience at HiddenLayer, explained, “Chainguard is a huge accelerator for us, both for our efficacy as developers and our ability as a company to move forward and pursue sales. It’s paid for itself.”

The Results

A dramatic reduction in vulnerability noise

After moving to Chainguard Containers, HiddenLayer saw an immediate and sustained drop in CVEs. Any vulnerabilities that surfaced afterward were tied directly to application dependencies or intentional upgrade decisions, not mysterious base-layer components that nobody remembered adding.

This made scans meaningfully more trustworthy: when something flagged, it was worth attention, reducing alert fatigue and helping teams move faster with more confidence.

Freeing engineers to build, not patch

By removing the bulk of base-image vulnerabilities, Chainguard significantly reduced the operational overhead that HiddenLayer had been carrying. Fewer CVEs meant fewer tickets, fewer meetings, and far less context switching, freeing teams to focus on the work that actually differentiates HiddenLayer.

In addition, Chainguard’s minimal images helped eliminate a quieter source of friction: image sprawl. Smaller, standardized images reduced storage and network transfer overhead over time, while also eliminating recurring debates about which base image to use. Teams stopped swapping images in search of marginal gains, removing downstream ripple effects and further reducing operational churn.

Unlocking revenue by building trust

For HiddenLayer’s customers, particularly those in government and regulated industries like financial services, clean vulnerability scans from vendors are non-negotiable. If the self-hosted deployment doesn’t result in clean vulnerability scans, deals fall through, and contracted revenue gets held up.

Having FIPS-validated images removed a critical blocker in government evaluations, helping prevent deals from stalling during security and compliance reviews.

By standardizing on Chainguard Containers and validating vulnerability-free scans with their vulnerability scanner, HiddenLayer achieves clean, consistent results across customer environments. This kind of trust in the security of HiddenLayer’s product is a competitive differentiator against other vendors and helps accelerate deal cycles.

“If our customers take a self-hosted product from us, you bet they're going to scan it, and it better be clean,” Mark said. “The image quality has been so high that we quickly built trust in Chainguard. It’s rare for an image to scan anything other than clean for us.”

The trust Chainguard helps customers build with their users extends beyond the product itself. Mark and Caleb highlighted Chainguard’s responsiveness and hands-on support as a critical part of their experience, whether enabling new capabilities, answering questions, or helping the team move quickly without getting blocked.