Your engineering team ships data products that 3,000+ customers (GPs, LPs, and allocators) use to make investment decisions worth billions. Since the S&P Global acquisition closed in November, you're also integrating four acquired platforms (SPS, The Deal, Realfin, FolioMetrics) into a single intelligence product. Every container image, every Python dependency, and every open-source package across all of those codebases now falls under a different level of scrutiny. Chainguard is the trusted source for open source: containers and libraries rebuilt from verified source, with zero known CVEs.
Open source won. Over 90% of modern applications are built on open-source components. It's in your ML pipelines, your APIs, your data services. That's a good thing. Open source gives engineering teams speed, flexibility, and access to world-class tooling without rebuilding from scratch.
But the way we consume open source hasn't kept pace with how we rely on it. Most teams pull a base image from Docker Hub, add their application code, and ship it. That base image might contain 200-400 packages, many of which have nothing to do with your application but all of which expand your attack surface. At the library level, teams pull dependencies from public registries like PyPI and npm with minimal vetting for what's actually inside the artifact they're downloading.
The industry response has been vulnerability scanning: scan your images, generate a report, file tickets, patch what you can, accept the rest. It's become the status quo. But scanning doesn't fix anything. It tells you what's broken. Your developers still have to triage, prioritise, patch, retest, and redeploy. By the time they're done, new CVEs have been published and the cycle starts again. Meanwhile, malicious packages on public registries bypass scanners entirely. They're not CVEs. They're deliberately injected malware.
Chainguard takes a fundamentally different approach. Instead of scanning after the fact and hoping your team can keep up, Chainguard rebuilds open source from verified source code (containers, language libraries, and VMs) with only the packages your application actually needs. Images are rebuilt nightly, libraries are built from source on SLSA L2 infrastructure, and everything ships with signed provenance and SBOMs. The result: zero known CVEs and verified, malware-resistant dependencies. Not as a goal, but as a baseline.
It's the difference between detecting problems and not having them in the first place.
Your team uses PyTorch for ML workloads. Here's what the official image looks like under a vulnerability scanner versus Chainguard's equivalent.
FROM pytorch/pytorch:latest with FROM cgr.dev/chainguard/pytorch:latest in your Dockerfile. Same runtime, same CUDA support, same model compatibility. For Python dependencies, point your artifact manager at Chainguard Libraries. Your developers keep using pip install exactly as they do today.
When Motive Partners backed With Intelligence in 2023 at a £400M valuation, the platform was already growing fast. Since then, Charlie Kerr's team acquired SPS, The Deal, Realfin, and FolioMetrics, each with its own codebase and dependencies. Now under S&P Global ownership at $1.8B, those combined platforms serve 30,000+ PE firms, 19,000 real estate investors, and 17,000 hedge funds. Open-source dependencies that were previously "good enough" now need provenance, SBOMs, and audit trails. The integration window is when this work is most tractable, and most valuable.
You've acquired four companies since 2023, launched a new platform product, and now you're integrating into S&P Global. Every one of these creates new open-source dependencies to secure.
Your team (data scientists, analysts, technologists, and developers) is integrating SPS deal analytics, The Deal's content pipelines, Realfin's real assets data, and FolioMetrics' CRM into the With Intelligence platform. Each acquisition brought its own container images, Python packages, and infrastructure choices. Under Motive Partners, that was manageable. Under S&P Global, every one of those inherited dependencies now needs provenance, SBOMs, and audit-readiness.
Meanwhile, Allocate With, your new LP-facing product launched in 2025, adds another customer-facing surface. You're blending news feeds, allocation data, and fund intelligence from brands like HFM, Eurekahedge, SPS, and Highworth Research into a single platform serving 3,000+ clients. That's a lot of data pipelines, a lot of microservices, and a lot of open-source packages underneath all of it.
Charlie Kerr's team built a business valued at $1.8B by moving fast and acquiring smart. Chainguard makes sure the open source underneath that platform is as trustworthy as the intelligence on top of it.
With Intelligence lists developers, data scientists, software developers, and product developers among its core team. Integrating four acquired platforms into a unified data product while onboarding into S&P Global's infrastructure means your engineering org is under pressure to ship fast without breaking trust. Every new microservice, every new data pipeline, every new API endpoint inherits whatever was in the base image.
The official PyTorch image includes 400+ packages. Combined with Octopus Deploy automating releases and Prometheus confirming cloud-native infrastructure, your team is deploying containers at velocity, each one carrying whatever the base image brought along.
Chainguard's PyTorch container carries the same runtime with a fraction of the packages. Fewer packages, fewer CVEs, smaller images, faster builds. And with Chainguard Libraries for Python, the dependencies your data scientists pip install are rebuilt from verified source too, protecting against attacks like the 2023 PyTorch torchtriton compromise where a malicious nightly dependency exfiltrated sensitive data.
These aren't projections. They're results from engineering teams that made the switch.
Engineering teams report spending 90% less time triaging, patching, and rescanning container images. Time that goes back to building product.
Across hundreds of organisations, Chainguard eliminates roughly 1,000 hours of CVE triage and remediation toil per image annually.
Snowflake achieved an 18x return on investment moving their FedRAMP High environment to Chainguard images, driven by reduced remediation and faster audit cycles.
Sourcegraph achieved "inbox zero" for vulnerabilities for the first time in two years after adopting Chainguard. No critical or high CVEs detected across their container fleet.
GitGuardian went from numerous critical and high vulnerabilities to zero, plus a 33% reduction in image size, enabling faster, cleaner customer deployments.
When new critical CVEs are published, Chainguard resolves them in under 20 hours on average, with 97.6% resolved within 48 hours. Industry SLAs are typically 30+ days.
Minimal, zero-CVE container images built from source on Chainguard OS. Only the packages your application needs. No shells, no package managers, no unnecessary attack surface. Rebuilt nightly so patches land automatically.
Malware-resistant language dependencies for Python, Java, and JavaScript. Every library and its full dependency tree rebuilt from verified source code on SLSA L2 infrastructure. Integrates with JFrog Artifactory, Sonatype Nexus, and existing artifact managers. No workflow changes needed.
Every container and library ships with a build-time SBOM and Sigstore cryptographic signatures with SLSA provenance. You know exactly what's inside, where it came from, and when it was built. Audit-ready out of the box.
2,000+ container images available as direct substitutes for Docker Hub equivalents. Change the FROM line, rebuild, deploy. Libraries proxy through your existing artifact manager. No architecture changes.
Trusted container images for PyTorch, TensorFlow, CUDA, Python, NumPy and the full ML stack, plus Python libraries rebuilt from source to protect against attacks like the 2023 PyTorch torchtriton compromise.
7-day SLA for critical CVEs, 14-day for everything else. In practice, critical issues are resolved in under 20 hours, with 97.6% resolved within 48 hours. Your scanner results get quieter, permanently.
I'd like to walk your engineering team through how Chainguard Containers and Libraries work in practice. What the migration path looks like for your PyTorch images and Python dependencies, and how other data platforms have handled the transition.