In addition to recently announcing that their application stack is now 100% running on AWS (link), today Wiz announced WizOs. According to the announcement, WizOs is a collection of Wiz-validated, hardened, minimal, near-zero-CVE container base images built for secure software delivery. In the release from today Wiz gives a nod to the companies that broadly contributed to this category:
“As we launch our own hardened, lightweight images, we want to recognize the trailblazers whose innovation shaped this field – Google’s Distroless initiative, Red Hat’s Universal Base Images, Chainguard’s Wolfi OS, Docker’s minimal image efforts, and Alpine Linux’s secure, lightweight foundation. Your contributions laid the groundwork for a more secure and efficient container ecosystem.”
As many of you likely saw recently, Chainguard recently raised $356M at $3.5B valuation, up from $1.1B a year ago. Chainguard is the largest, independent (and still private) company in the Near-zero-CVE category. Chainguard relies on cloud security run-time agents from companies like Wiz and Palo Alto Networks to show which real-time vulnerabilities can be resolved with Chainguard’s or other independent Near-zero-CVE providers’ images. Wiz dropped some hints suggesting that companies don’t need this extra step from a point product category at the end of the release and will ship software more quickly without leaving the Wiz platform:
“The impact was immediate. Critical and high CVEs in base images dropped to near zero. Our vulnerability scanners became quieter, with fewer false positives and less noise. And for the issues that remained, developers could focus on actual application-level logic rather than inherited OS flaws. From a developer perspective, the change meant fewer blocked builds, smaller image sizes, and faster deployments. CI pipelines moved faster, and network and storage usage dropped in our container image registries.”
Will Chainguard and others in this category deploy their own agents and also move into securing run-time for customers or will they have to acquire in this category? I guess we are about to find out.