By
Bob Tinker
CEO @ BlueRock Security

Securing Both Known and Unknown Vulnerabilities, with Chainguard + BlueRock

Published On
September 5, 2025

By Bob Tinker, CEO @ BlueRock Security

First things first: huge congrats to the Chainguard team on their recent announcement launching their portfolio expansion with Chainguard VMs. They’ve moved beyond container hosts to add Application (e.g., Jenkins, NGINX, Squid) and Base (Chainguard OS, Java, Python) virtual machine images—now available across cloud and on-prem formats. It’s a big step toward making secure-by-default infrastructure the norm, not the exception. 

Protection Against The Known And The Unknown: Why Our Approaches Fit So Well Together

  • Chainguard → Saves developers time by reducing the risks you know about.
  • BlueRock → Saves developers time by reducing the risks you don’t know about.

Together, you get defense-in-depth with lower friction for developers. 

Chainguard’s minimal, zero-CVE images are rebuilt from source daily and backed by a remediation SLA, so you start from a clean, trusted baseline rather than spending cycles triaging noisy CVE backlogs. And with multi-format support (AMI, Azure, GCP, VMware, raw/QCOW2), you can standardize that baseline across cloud and on-prem. 

BlueRock fills an important gap, covering you against vulns you don’t know about, and known vulns that have yet to be patched. The thing is, attackers don’t wait for CVE advisories. The duration of an unknown vulnerability can span from zero days to multiple years.  The emergence of AI is helping attackers discover new vulnerabilities, never to be disclosed.  And, for CVEs that are public, post responsible disclosure windows, AI-assisted exploitation has shrunk the window from weeks to days to hours.  That’s why BlueRock delivers two “baked-in” runtime layers:

  • BlueRock Runtime Reachability Intelligence (RRIQ): We watch what actually loads and runs in your business apps and services, mapping it to exploitable CVEs to prioritize what devs need to  fix first, not whatever happens to be highlighted by static code scans. Using this capability can easily demonstrate the cost and time savings from running Chainguard CVE free images.
  • BlueRock Compute Firewall (agent-less runtime guardrails): CVE-agnostic, real-time protections that can see, alert and block whole classes of exploit chains (deserialization, path traversal, reverse shells, image drift, privilege escalation, and more) across apps, containers, and nodes. In our testing, just 5 simple policies can neutralize the 70% of CISA’s KEV (Known Exploited Vulnerabilities) attack patterns. 

Why This Matters Now:

The modern reality is AI-speed attacks. Exploit development and weaponization keep accelerating, outpacing traditional scan/patch cycles and leaving teams perpetually behind. We’ve argued for some time that we must move beyond the “scan-and-patch hamster wheel” to prevent exploits at runtime while also shrinking the patch list to what truly matters. 

Chainguard gives teams a clean, reproducible starting point that stays clean. BlueRock ensures that when (no longer if) a new exploit is targeted against you, your runtime has guardrails that can protect you in real-time.

What Customers Get With BlueRock & Chainguard: 1 + 1 > 2

  • Secure by Default: Zero-CVE images reduce the attack surface.  BlueRock’s Compute Firewall protects against unknown exploits.. 
  • Better security: Start from hardened, verified images and add CVE-agnostic runtime guardrails that stop exploit chains (known and unknown). 
  • Lower cost: Less time thrashing on scans and patches, fewer security agents to contend with, all baked into consistent golden images across cloud and on-prem. 

What’s Next: BlueRock Node Images for Chainguard VMs

We’re already on the path to combine BlueRock Compute Firewall images with Chainguard VMs so customers can get a Zero-CVE base (Chainguard VMs), advanced Runtime Reachability Intelligence (BlueRock RRIQ) and runtime guardrails (BlueRock Compute Firewall), fully baked-in to your cloud node images.

Already running on AWS? BlueRock RRIQ and our Compute Firewall are available today on Amazon Linux 2023, and we’re excited to extend that experience to Chainguard VMs next. 

If you’d like to pilot BlueRock on Chainguard, let’s talk. 

A Final Thank-You

Kudos again to the Chainguard team for pushing the industry toward secure-by-default foundations, and thanks for collaborating with us to be part of the journey. This is the right direction for builders and defenders alike.

If you’re a software development leader who wants to reduce risk and give your dev team time back, we’d love to compare notes and get you started.

— Bob

Bob Tinker
CEO @ BlueRock Security