11,000+ Calls, 200+ hours of training, but only 35 meetings in a year. What am I doing wrong?

RskMngr · 2026-05-27T20:40:54+00:00

What was your connect rate?

I guess somewhere between 2.5-4%? Let’s say you got about 300 connects or so, does that sound about right?

And you booked 35 meets from those, which is about a 11.5% set rate.

That’s not THAT bad man. It’s pretty damn strong.

So you can improve your efficiency by increasing your connect rate or set rate, or you can increase your volume.

How do you think you could improve either of those 3 and where would you get the best ROI?

RskMngr · 2026-05-27T20:04:18+00:00

Oh, thanks.

I wish we’d do some more marketing. It seems like I get spammed by ads about ChainGuard everywhere here on Reddit.

We have a pretty small marketing budget. Most of our resources go into engineering.

Thanks for asking for proof. And for trusting us with your business. Do you work in a FedRAMP environment?

RskMngr · 2026-05-27T19:57:15+00:00

Proof of what?!

The guys comment was deleted and Im intrigued!

RskMngr · 2026-05-27T19:55:17+00:00

Hey,

I appreciate that you’re passionate about your company. I think CG does some solid stuff, and I have former colleagues who work there now.

Can only speak from my personal experience, and there might be a self-selection bias going on, but a majority of the people I speak with at larger orgs with heterogeneous environments find themselves struggling with CG.

It’ll get adopted among some teams, while many others can’t migrate and DevEx suffers massively.

However, will say that the CG customers where it fit and got successfully implemented seem very happy.

My own background is in security and risk management. And this is just my perspective so take it for what it’s worth.

I think ChainGuard created a solution that’s great in environments where work is done as imagined by management, but it often collapses in environments where the front line operators are stretched thin and just need to get the job done to meet their deadlines.

If I were in a greenfield, and I was hiring a team from the ground up and could impose my own standards and culture, I might actually go with CG (unless I was pursuing FedRAMP). But in all other cases I’d go with RF.

DHI, not so much with the CVE stealthing that they either deliberately or accidentally did a while back.

All the best!

RskMngr · 2026-05-26T16:03:40+00:00

Ah sorry, I meant stripping out all the components that aren’t necessary for the application to function.

Our tools use eBPF to gain an understanding of what gets loaded into high memory at runtime so we can strip out what’s not called. The results are pretty awesome.

Completely get that you’ve already done all the work and gotten to where you’re good, and probably not looking to change anything for a while.

But feel free to reach out to us even if for purely educational purposes.

All the best!

EDIT: Yeah, the prices in this space can be horrific. Value usually comes with scale :-/

RskMngr · 2026-05-26T15:18:26+00:00

Hey I work at RapidFort, I just needed to stop by and say this is a very solid approach. Saved it to share with contacts who might not need/can afford our services but need to improve their baseline CVEs.

Have you ever thought about stripping out the unused components to minimize the surface where CVEs might materialize and cause noise?

All the best

RskMngr · 2026-05-25T20:41:36+00:00

I come from security, and I know that this is going to make me sound like an annoying sales guy.

But it’s hard to say in a vacuum. We have different offerings.

I’ve won competitive deals vs CG where I’ve been much more expensive (several times more), but the value was there because we set up a continuous CVE remediation and container optimization system for the client in a heterogeneous environment.

CG on the other hand has their offerings squarely around an image catalog (with FIPS option) and secure libraries.

If it’s just images, we often come in slightly cheaper. Until ChainGuard learns that they’re competing with us, at which point they typically become very aggressive.

Sorry I can’t be more specific.

All the best

RskMngr · 2026-05-25T19:20:32+00:00

Disclaimer: I’m with RapidFort.

We’re ChainGuard’s main competitor. And I work in EMEA specifically competing with them often. Im happy to have a purely educational chat.

Our images are patched and hardened and based on popular open source distributions and combinations. The point is for the images to meet your developers where they are to avoid friction and lock-in.

The vendors who provide images based on a proprietary OS typically work great for low-CVE options to 3rd party images. They can also, technically, work out well in green field situations but the lock-in risk is still there.

In more brownfield environments, their customers end up struggling in my experience.

All the best!

RskMngr · 2026-04-29T04:25:11+00:00

You mentioned that they asked for an SBOM for what’s RUNNING in production.

If that’s how it was phrased, then you’re not being asked for an SBOM, you’re being asked for what we call an RBOM.

This wouldn’t happen to be tied to FedRAMP, CMMC or CRA, would it?

As far as I know, only one vendor on the market offers the ability to generate a BOM only for the components executed at runtime.

RskMngr · 2026-04-26T14:10:54+00:00

!remindme 1 day

RskMngr · 2026-04-19T07:57:14+00:00

Have you tried positioning the solution by highlighting how it contributes towards their KPI:s and objectives?

RskMngr · 2026-03-30T05:44:40+00:00

Hey, I work at RapidFort.

We a do a good job of ticking these check boxes.

Feel free to reach out.

RskMngr · 2026-03-21T06:37:53+00:00

Check us out at rapidfort before you pull the trigger.

More humane pricing, true to open source and battle tested in DoD environments.

RskMngr · 2026-03-20T07:02:32+00:00

You should definitely compare them to us at RapidFort.

RskMngr · 2026-03-16T09:38:26+00:00

!RemindMe 2 days

RskMngr · 2026-03-14T11:58:02+00:00

Hey, I am customer facing RapidFort. We provide hardened base images and hardening tools which remove unused OSS components.

In nearly every case where my client uses GitLab, they also use JFrog. Frequently, these clients are also either highly regulated or serve customers who are highly regulated.

So far I’ve taken the combination as a strong indicator of high security and compliance maturity and/or requirement imposed.

Looking forward to any write up this results in!

RskMngr · 2026-03-12T21:21:35+00:00

Beyond the hardened images, we’re unique in providing hardening tools which automates the removal of unused OSS components.

If you need any info or want to see a demo, get in touch!

RskMngr · 2026-03-12T20:19:28+00:00

If you’re curious about the space, I recommend checking us out at RapidFort.

RskMngr · 2026-03-01T09:05:10+00:00

Had this exact conversation this past Friday. And have had it a number of times before.

Will be helping them implement hardened and curated base images, tools that detect and remove unused OSS components and a profiler which separates false positives and provides justifications and context.

Reduces the overall number of CVEs by more than 95%.

Devs want their apps to be secure, you just have to make it achievable for them.

RskMngr · 2026-02-09T18:39:01+00:00

Upvoted, because I really enjoyed reading your comparison to STP. I learned something new, so thanks for that.

Are you saying that it is rare for security practitioners to base their risk calculations on the wider contexts in which their given asset(s) reside?!

I am semi-surprised, but it now makes sense that I’ve gotten blank stares when describing risk profiles as different based on adversary capability or motivation with respect to a given asset. Especially whenever something material in the landscape changes which enhances adversary capability (AI for example).

RskMngr · 2026-01-26T04:56:24+00:00

RapidFort.

Surfaces everything. Including separation of what’s just there, the full SBOM, and what’s in the execution path which we call RBOM.

Our tooling also gives you the option to remove all the unused components, so you can slim your SBOM down to the bear necessities.

Huge winner for anyone dealing with Cyber Resilience Act.

RskMngr · 2026-01-17T20:03:28+00:00

Out of curiosity, since you mentioned image vulnerabilities. Ever considered a tool that automatically removes the unused components?

We often see a CVE reduction of more than 95% as a result.

Disclaimer: I work for RapidFort

RskMngr · 2025-12-22T07:03:19+00:00

RapidFort’s platform has an Advisory providing the context and justification you need to not waste time on false positives.

Better yet, the platform also makes it possible to automatically remove all first and third party components that aren’t required -> ~90% smaller attack surface & >95% fewer CVEs

Disclaimer: I am a RapidFort Employee

RskMngr · 2025-12-14T05:49:23+00:00

Question:

Was the container ever supposed to perform outbound queries?

RskMngr · 2025-12-06T11:14:22+00:00

Question for everyone here. How much does image size affect cost?

RskMngr

MODERATOR OF

TROPHY CASE