Here's the number that frames all of this: CVE submissions are up 263% since 2020, and NIST enriched nearly 42,000 of them in 2025, more than any prior year. Even that wasn't enough to keep pace, so in April 2026, NIST gave up on analyzing every CVE and moved to a triage model. New vulnerabilities already show up faster than almost any team can keep up with, and that gap is only going to get wider.
AI-assisted offensive research has arrived. Anthropic held its Mythos model back because it was good enough at finding flaws in source code to be dangerous, releasing it through Project Glasswing to a handful of teams first. Even on curl, one of the most audited codebases anywhere, an early Mythos scan turned up real bugs.
You don’t even need AI tooling to find vulnerabilities in an average container image. Most customers we talk to have many thousands of already known CVEs across their registry, but no viable path to drive that number down.
Today there are far more and better scanners available than when we started Twistlock over a decade ago, but customers have even more open vulnerabilities. The industry has built scanners, dashboards, vulnerability aggregation platforms, and countless other tools focused on vulnerability discovery. Visibility is not the primary challenge, and hadn't been even before AI was applied to finding more.
The hard part is remediation, the grind of rebuilding commodity open source software with never ending updates, over and over, for components nobody wants to own.
AI has made that imbalance worse, not better. It speeds up the half of the problem we were already keeping up with and does little for the half we weren't. Every new vulnerability creates additional work for developers, platform teams, and security teams. As discovery accelerates, remediation backlogs grow right alongside it. What organizations need isn't better discoverability; they need a practical way to reduce risk at the source.
A minimal, hardened base image with up-to-date packages, a small attack surface, compliance built in, and with the attestations you need to pass an audit should be the floor for shipping software in 2026, not a premium add-on.
The industry has kept that floor behind a contract. Images that are up to date, secure by design, and compliant by default have only been available to those willing to pay for them, and everyone's security has been worse because of it.
The result is that insecure defaults are easier to access than secure ones. Poorly maintained publicly available images are one pull command away, while secure foundations frequently require contracts, evaluations, and procurement processes.
We believe secure foundations should be broadly available.
Organizations should pay for operational capabilities like SLAs, self-hosting in any registry, custom image recipes, governance, RBAC, and automation. Those are operational capabilities that add real value. A patched binary isn't something anyone should charge rent on, least of all now, with AI pushing CVE counts even higher.
The quicker vulnerabilities arrive, the more a secure starting point needs to be the normal one. We’re proud to play our part in making that accessible to everyone.
This belief that secure defaults should be accessible to everyone is why Minimus Community Edition exists. Community Edition provides hundreds of continuously rebuilt, near-zero CVE images, with FIPS-validated cryptography and CIS, NIST SP 800-190, and STIG validation.
These are the same images our customers in finance, government, and healthcare around the world already run in production, not a watered-down sampler to collect leads.
You can browse our Community Edition images and use them in your environment for free, with no trial, no auth wall, no signup. The whole point is to make a secure default the easy choice and accessible to all.
.svg)
.svg)
.svg)
.svg)
