Appian is an AI-powered process automation company that helps organizations design, automate, and modernize complex business workflows at speed. Their low-code platform empowers customers across industries, including highly regulated sectors such as public sector, banking, and financial services, to build enterprise-grade applications at the speed of ideas.

The challenge: Complexity of open source at scale

Like most modern software organizations, Appian relies heavily on open source components. As their platform scaled, so did the complexity of their open source footprint, introducing new challenges around the process of managing, triaging, patching, and hardening vulnerabilities.

Andrew Cunje, Appian’s CISO, put it bluntly: “Complexity at scale without solutions are anti-patterns. Securing a growing list of open source was eating into valuable cycles of our developers.”

For engineers, that burden meant less time spent on building new, innovative products and features. As Abdullah Munawar, Director of Product Security, explained, “The speed of innovation is impacted by all the overhead that we had to spend on taking time to patch and maintain these third party components. Developers were unable to take that time and use it to innovate via future work.”

The weight of compliance requirements added to the strain. With many customers operating in highly regulated sectors, Appian needed to meet FedRAMP and IL5 standards. Abdullah described the challenge: “In addition to all of the regular security requirements, we also have to deal with compliance requirements, specifically FedRAMP and IL environments. Within those environments, a lot of emphasis is put on timely patching as well as hardening those images. Without leveraging Chainguard, it's a difficult task to do on our own.”

Ultimately, this meant product innovation stalled while engineering teams focused on urgent security and compliance needs.

The solution: Chainguard Containers

Faced with rising complexity when building its production environment using open source software (plus the heavy burden of compliance), Appian turned to Chainguard Containers to simplify risk management and fuel innovation. The decision to partner rather than build a golden image program in-house was pragmatic.

Andrew explained, “When deciding if we needed to build or buy, the math was simple. We just wanted to get our features into our customer’s hands as fast as possible.”

Having managed open source security in-house at a previous employer, Andrew knew what it would take to build from scratch. By his calculation, this effort would have required 15-20 full-time engineers, and even then, Appian would have struggled to meet accreditation deadlines. As he put it, “When you're dedicating that type of time and it’s not something that you're going to sell, that's really just a fool's errand.”

Instead, getting started with Chainguard Containers was quick and straightforward. Abdullah recalled, “The team was extremely helpful and offered a ton of support. It was as simple as us requesting images, versions, and then us pulling those down and being able to verify them and deploy them into our environment.”

The results: More time to innovate, faster paths to compliance

Innovation unlocked

With Chainguard, Appian dramatically reduced operational overhead, giving engineers the time and focus to return to building innovative products and features that would drive revenue for Appian.

This shift has enabled the company to enter new markets more quickly. As Andrew explained, “As the CISO, my focus is on risk and revenue. From a risk perspective, we’re able to raise the waterline and enter new markets quickly. From a revenue perspective, the more markets that we enter, the more revenue we can capture.”

The payoff is clear, “Every hour that we spend on innovating instead of fixing is revenue gained. And for me, that’s a double win.”

Compliance without the burden

Chainguard has also helped Appian meet the strict standards of its highly regulated customers with greater ease and confidence.

“Chainguard provides us a significant level of comfort,” Abdullah explained. “We know that when we leverage third party components through Chainguard, they’re patched, they’re hardened. And so all of our IL5 and FedRAMP requirements are satisfied.”

Today, Appian holds more than 30 compliance certifications, with Chainguard accelerating that progress, and ultimately revenue. The partnership also dramatically shortened the timeline for Appian’s FedRAMP accreditation, which the team originally estimated would take more than a year, but ultimately took just a few months.

Andrew explained, “At Appian, we believe that what’s good for one customer from a security perspective is good for the next. And with Chainguard, they’re helping us turn compliance from a blocker into a business advantage.”

As Andrew concluded: