Chainguard raises $356M Series D to build a safe source for all open-source software

going to be in trouble. Uh we will figure that out. But we will first have a chat with Dan from Chain Guard. Welcome to the stream. Thanks for having me on. Yeah. Thanks so much for joining. Congratulations on the hefty $356 million series D.

Uh we'd love for you to introduce yourself, break it down, give us the news, tell us what's up. Oh man, I was just on my roof 10 minutes ago trying to get my Starling to work because my internet was down for two hours and it came back on five minutes before this. So, I'm so happy to be here. Well, it's a miracle.

It's meant to be. Yeah, perfect. Where are you right now? Yeah. Yeah. I'm in my basement in Rhode Island. Oh, nice. Nice. Very cool. Um, yeah, we're an all remote company. Um, yeah, we're about three and a half years old at Chain Guard.

Um, we got started during the pandemic, so there were no offices and we've kept it that way as we've grown. Uh, but we're building a safe source for open source software.

Um, open source is this kind of like hippie software movement uh that's been around for like 30 or 40 years, but it's like anyone writes code and puts it on the internet for free and people use it and everyone kind of gives back and trusts it and it and it mostly works. Um, it's awesome.

It's like 90 to 98% of the code that people use when they're writing, you know, their own applications. But when you're using code that's written by anyone on the internet, um, it turns out not everyone on the internet is a nice or responsible person. And that leads to security issues.

What was the single I was about to say? Yeah. What's the inciting story? Is it Solar Winds? What What do you go back to as like the the the foundational uh story that we will be able to prevent in the future? Yeah, Solar Winds was like one of those eye opening moments.

Um it's something I've been paranoid about for a while though. There's actually this paper that was like written in the 70s by Ken Thompson called Reflections on Trusting Trust. And it was like a touring award-winning paper. Like it was his his paper after he won an award.

Um, and he kind of proved by pranking all of his co-workers at Bell Labs that if like there's a back door in a compiler, a compiler is a thing that turns source code into like, you know, the thing you're actually going to run, then you can't really trust any of the programs that are ever built with that or any of the things that are built with those things.

Um, and it's an awesome paper. And then everyone just kind of blocked this out for like the next 40 or 50 years. um until Solar Winds happened basically where somebody actually spent the time and did something like that and then had dramatic consequences as a result to all those kind of downstream customers.

But my co-founders and I have been working on this stuff for a while at Google and Solar Winds was kind of the kickstart to actually get this company going. Got it. So, uh talk to me about I mean the ramp on this company is inc is crazy. Uh what was the first customer? What was the go to market? How did you scale?

I want to hear all that. Yeah, we spent a while in the beginning trying to figure out what we wanted to do from a product side. Software supply chain security, open source security, it's a whole bunch of problems. It's not just one problem.

And it took a while to figure out what which one people actually wanted to solve first. It was this topic everybody knew about after Solar Winds. There was an executive order from the Biden administration, that kind of thing. But nobody was really ready to take action yet.

They were all just paying attention to and learning about the space. So, we tried a bunch of different things. Um, but this product that we have now, our our chain guard images product, uh, we started on it pretty early and it took a while to get going.

Um, because, you know, there was a lot of software that we had to build to get to this point where people could come to us and get whatever they wanted to run from us. Um, we first started selling it like Oh, sorry. Go ahead. Oh, yeah.

I I I just wanted to hear just finish that story and then I'll ask the next question about, you know, Yeah, we really first started selling it about halfway through calendar year 2023. We got the first couple customers on board. Um, we had a couple sales reps at the time. They reported directly to me.

Um, after it really started selling though and we we had a feeling it was repeatable, we brought in a VP of sales, really started to scale that, but we've kind of been perpetually behind on, you know, growing our sales team as a result. The demand has been, you know, more than we can handle. Think you're doing great.

Um, uh, talk about, uh, I want to ask you, uh, more potentially just, uh, fun question, not so serious. Uh, talk about the brand. I think if you said 20 years ago that like a you know security software company would have such a fun uh delightful uh brand they would have kind of laughed at you.

Is it just a is it just an extension of of you know the team and and your guys's internal culture or how did that come together and and what's been the customer response to that? Because I imagine you like at at this point many of your customers are not just cool exNative uh startups.

They're you know really you know scaled enterprises. Yeah. I I think you know it's a reflection of in some ways our internal culture right like security is really serious work. The type of security we do is really tedious work. It can be boring. It can be hard stuff nobody really wants to do. And we try to keep it fun.

One of our, you know, core values is we do serious work, but we don't take ourselves too seriously. Um, and we we spend a lot of time on that one. Um, we have fun in all hands. We do crazy stuff summits, that kind of thing. And it helps keep the culture light.

You know, when when you're about to, you know, go spend eight hours trying to fix some tiny bug somewhere in some piece of software you don't understand. It helps to laugh every once in a while that you know it keeps everybody engaged, keeps everybody having a good time, especially when things get tough.

Um, and we try to, you know, reflect that in our social media and our branding and the events and all that stuff we do. Yeah. Um, I get cold called all the time. There's all these brands out there and like just some personality and authenticity really goes a long way in this. Totally.

uh what what uh what what are the the general risks in in in you know cyber security risks around software that that kind of like keep you up at night that aren't related to chain guard directly and what you guys are doing. So kind of like more at a macro level.

Um I mean this one's sort of related to us but it it it really is the one that keeps me up at night but we don't have a perfect solution to it either. So, so I don't feel too unfair, but it's it the XZ utils attack at the start of last year, if you remember that one.

I think that's the one that probably should be keeping the entire industry up at night. Um, it was this piece of open source software that had been around for like 30 years. It's this compression library that's used everywhere across the internet.

You know, as you upload download things, it all gets compressed and decompressed just like from Silicon Valley. Um, you know, the middle app compression kind of thing. Um, uh, it's everywhere. You don't even think about it. And it was maintained by just one person like a lot of projects are for, you know, like a decade.

And uh somebody else just showed up and started helping. And they were like fixing bugs, doing good stuff, cleaning up the old code nobody else got around to for like a year or two. And then the original person was like, "You know what? I've been doing this for a long time. You're doing a good job.

Why don't you just take over? " And the original person just kind of left. Uh and then 3 months later, this malware gets slipped in that was incredibly sophisticated. And it turned out it wasn't even a real person. It was just like a madeup name on an email list. Uh her name was started showing up. Yeah, Gotan.

That's not even a real person. Um like there are people with that name and they had a terrible week uh getting harassed, but none of those were that Gotan. Um and uh it was luckily detected at the last minute and it was a a really close call. But that's not the first time that's happened.

I'm sure it's just the first time we've noticed and that's definitely not the last time that type of thing is going to happen. It's about trust in the end. You have to trust the people that are doing this and you don't know if they're a nice person on the internet. It's what's that old meme?

You don't know if someone on the internet is a dog, right? Yeah. On the internet knows you're a dog. Yeah. A dog, a Russian or North Korean hacker, you know, nobody on the internet knows these things. So, it's kind of related to what we do. So, but like it's a hard one.

It's impossible to solve unless you know the identity of every single person and you know their entire life history. Yeah, this is somewhat related.

I can imagine um there's a world where this is handled by the government and if there's critical software that's identified, it's like we're going to find this person and verify who they are and basically do a background check.

On the other side, the more futuristic Silicon Valley tech approach might be um hey, we have incredible software LLMs. We have AI agents. What if we just run an LLM over every piece of public code constantly 20 every review every uh every git push or every pull request, right? Um uh how are AI agents uh effective?

Is it just going to be a uh like a cold war of of both sides using AI to sneak ever ever more complex hacks in and catch them? Is it cat-and- mouse? Um, how are you seeing AI and AI agents uh helping or hurting in the future? I'm scanning the internet right now while we're talking.

Yeah, I'm vibe I'm vibe scanning the internet. Um, that's good. Yeah. No, it's it's an arms race like everything in security. Attackers get better. They move around, find different ways in um and defenders have to have to keep up. Right now, I think we're losing that war, right?

We're getting a lot better at finding vulnerabilities and software and finding ways to exploit than we are at keeping up with that. I hope that changes. Um, you know, AI adoption in security is has been pretty slow. Um, and for a good reason. It's kind of scary.

Uh, you don't want to just run these things with direct access to all of your systems, but attackers aren't slowed down by that. They're running this stuff every day and every week as it changes.

Um, so it's going to be a kind of wakeup call and catchup period as the defenders figure out how to use it as well as the attackers are. What's the what's the vibe in the security community right now?

Um, just I is it uh I I remember I I like accidentally landed in Vegas during Defcon or Black Hat and was kind of out of my element one year. Um uh but uh what does it take for somebody to break into the industry? Uh where are the key uh pipelines? Are people even like are universities relevant here anymore?

I know there's a lot of hackers that just kind of uh do uh CTFs and then become famous. Um, but what are the typical pipelines into either a career at your company or just the industry broadly? Yeah, security is both really easy to break into and hard at the same time, right?

Like like you mentioned, universities aren't terribly relevant. There's no, you know, college that you get a degree in cyber security from. Um, even programming in general, right? You can learn this stuff on your own. I learned it on my own. I did mechanical engineering. I never took a programming class.

Uh, but it's also hard because there's so much esoteric stuff. Like there is no curriculum. you kind of just have to spend all that time on those forums and reading hacker news and reading all these different sources. So, I'd say there there's not a lot of credentialism.

Um, but there is still this like kind of obscure dark knowledge base that you do kind of have to pick up on on your own, but it is incredibly welcoming. Hopefully, you had a good experience when you landed there in the desert um at Defcon. Um, it's always a fun crowd. Yeah, totally. Um, yeah, it's way more fun than RSA.

You never know what you're going to get in Vegas. It might be the plumbers, you know, annual conference or an arms dealer conference or it's always different. Uh but yeah, I remember people were joking like, oh, like like don't even go near the Defcon folks.

Like they'll hack your phone in two seconds while you're not even looking. No one takes a shower. Yeah, that too. That too. Um yeah. So, uh what what's next for the company? I mean, you have a new war chest. Uh you mentioned hiring salespeople, scaling that up. What are the new challenges?

What are the goals for the coming 12 to 18 months? Uh, yeah, we're trying to be the safe source for all open source. You know, up until today, it's been pretty limited with just our container images. Um, we're adding new products. We just announced a few a month or two ago.

Um, virtual machines, language level libraries. Uh, you know, we've really just on the tip of the iceberg when it comes to open source. So, we're scaling up our investments a lot in R&D, our automation, making this stuff easier for us to do as we continue to grow and scale.

You know, the amount of open source that we have, it's moving even faster. You asked about this about AI. Uh, open source is accelerating. Um, you can crank out code even faster now. Um, today it's more people writing more code. All code has bugs. We haven't really made an improvement dramatically that way.

And like, you know, the the number of bugs per line of code written. In fact, it'll probably go up as more inexperienced people start writing more and more of this. So, the security gap is getting wider and we have to get even faster at it. Yep, that makes sense.

Uh, one one more question on AI and we'll let you get out of here. Uh, Daario over at Anthropic uh, just published a piece. the urgency of interperability.

Uh Jordy and I were talking a few months ago about uh Deepseek and this idea that even if it's open source, uh there could potentially, it's a little sci-fi, but there could potentially be a Manurion candidate buried in the weights of one of those models, uh is that something you're thinking about? Is this pure sci-fi?

Is this a year, two, five, 10 out? How should we think about uh auditing the output of open-source LLMs? because that seems like a really valuable target if I'm a hacker.

Yeah, I've seen studies not even just recently, you know, within the last couple years where if you could taint a percentage of the training data going into a model, you can control some of the output. This stuff is not possible to reverse engineer.

Code is hard enough to reverse engineer and this is that scaled up by like a thousandx. um open source models, you know, there is an open source definition for models and these weights, but you know, you can read source code. It's hard. Uh but you can't read these ones and zeros in a, you know, a 40 gigabyte file.

Um it would not shock me if it's in there even not even just DeepSeek in any of these models intentionally or intentionally. Um we like to think that we can review stuff line by line and catch these bugs, but there's no possible way to do that with LM. The whole explanability piece is scary. Totally.

Um, well, thank you so much for stopping by. We we we have to cut it short because we have to run to a meeting. But, uh, this was fantastic. We'd love to have you back on the show, uh, whenever.

Hopefully, there's never a big security in uh, incident, but if there is one, we'll be calling you and we'll be playing this sound effect. Oh, no. You know where to find me. Thank you so much. Thanks for coming on. Good luck. Have a great weekend. Yeah. We'll talk to you later. Bye. See you, Dan. Uh, fantastic.

Well, we have to wrap up. We have one last ad. Linear, you heard from the CEO directly. It's the new standard for pro modern product development. Uh go check out linear build with focus ship with care. linear. app. And thank you. We will wrap up there. We will be back Monday. Yeah, we're sorry we have to run.

Uh it's going to be a massive week next week. We're going to be on the ground at Hill Valley in DC. Uh we have a lot more planned, a lot more timeline, a lot more top stories. Uh a lot more real estate stories hopefully. That's right. I'd love to break down some more mansions. We'll see. Anyway, thank you for watching.

We will see you soon. Have a fantastic.