Chainguard raises $356M Series D to build a safe source for all open-source software

Summary

Chainguard has raised a $356M Series D — a notable milestone for a company that is only three and a half years old and began selling its flagship product in mid-2023. Dan Lorenc, the company's CEO and co-founder, describes the core proposition as building a safe source for all open-source software, addressing a problem that underpins the modern internet: 90 to 98% of application code is open-source, written by anyone, and trusted by default.

The problem

SolarWinds was the catalyst for starting Chainguard, but Lorenc traces the intellectual roots to a 1970s Turing Award paper by Ken Thompson — Reflections on Trusting Trust — which proved that a backdoor in a compiler propagates invisibly through everything built with it. The industry effectively ignored that insight for four decades.

The threat that keeps Lorenc up at night is the XZ Utils attack from early 2024. A widely-used compression library, maintained by a single developer for roughly a decade, was handed off to a new contributor who had spent a year building trust through legitimate bug fixes. Three months after taking over, that contributor slipped in sophisticated malware. The contributor turned out to be a fabricated identity — not a real person. The attack was caught at the last minute, but Lorenc's view is that it was almost certainly not the first time something like this happened, just the first time it was noticed.

The structural problem is identity. Open-source contribution is pseudonymous by design, and verifying who is behind a commit at scale is, as Lorenc puts it, effectively impossible without knowing the identity and life history of every contributor on the internet.

The product and growth

Chainguard's core product is Chainguard Images — hardened container images that give enterprises a verified, clean source for the open-source components they run. Commercial sales started in mid-2023 with a handful of direct reps reporting to Lorenc himself. Demand outpaced hiring from the start; the company has been "perpetually behind" on building out its sales team because inbound has consistently exceeded capacity.

The $356M will go toward expanding that sales org and accelerating R&D. Chainguard is extending beyond container images into virtual machines and language-level libraries, which Lorenc frames as just scratching the surface of the open-source security surface area.

AI makes the problem worse before it gets better

AI-generated code is accelerating the volume of open-source without improving its quality. Lorenc's position is that bugs per line of code will likely increase as less experienced developers ship more, widening the security gap Chainguard is trying to close.

On the defensive side, AI adoption in security is slow — partly for good reason, since giving autonomous agents direct access to production systems is genuinely risky. Attackers face no such hesitation. Lorenc's read is that defenders are currently losing the arms race and face a catch-up period ahead.

The LLM supply chain risk

The sharpest forward-looking concern Lorenc raises is the possibility of poisoned AI model weights — the equivalent of a SolarWinds-style attack embedded in an open-source LLM. Research already shows that tainting a percentage of training data can predictably influence model outputs. Unlike source code, which is at least theoretically auditable line by line, a 40-gigabyte weights file cannot be read or reverse-engineered in any practical sense. Lorenc says it would not shock him if compromised weights already exist, in DeepSeek or any other model, intentionally or otherwise. There is currently no credible mechanism to detect it.