Techcle Wiki

Growth Strategy

6 min read

CascadeGuard Growth Strategy (v3)

Guiding Principles

  • The open source CLI tool stays free forever — it’s our top-of-funnel.
  • Managed hardened images are public on Docker Hub — they’re our billboard, not our gate.
  • Start lean on Docker Hub (10 images), scale based on data.
  • Tier differentiation is about platform features and personalisation, not image access.
  • Trust-first, upstream-first: users arrive with their existing images. We meet them there, analyse what they have, then show the delta to our managed images.
  • Paid tiers gate production-grade capabilities, not basic security information.

Docker Hub: Lean Start, Data-Driven Scale

10 managed hardened images on Docker Hub under cascadeguard/ to start. Not 25.

Rationale:

  • Docker Hub free org gets 1 repo. We need the Team plan (~$9/mo) for multiple repos — cost is minimal.
  • 10 images is enough to prove the model and build discoverability without giving away the full catalog.
  • Usage analytics per image are critical. Docker Hub provides pull counts. We should supplement with:
    • Platform referral tracking (which Docker Hub images drive signups)
    • Image type vs pull frequency analysis
  • Review the 10→25 expansion based on 60 days of data.

Initial 10 image candidates (weighted by workload diversity and pull frequency):

  1. nginx
  2. node
  3. python
  4. postgres
  5. redis
  6. alpine
  7. ubuntu
  8. golang
  9. mysql
  10. openjdk

Pull patterns vary by image type — this matters for capacity planning and value positioning:

  • Base OS (alpine, ubuntu): used in build pipelines, pulled less frequently per workload but across many builds
  • Ephemeral workloads (nginx): high pull frequency, short-lived pods, single workload can drive many pulls
  • Stateful (postgres, mysql, redis): pulled infrequently but long-running — value is in ongoing CVE monitoring, not pull count

What Docker Hub does NOT give them: personalised assessment, own-image scanning, trend data, alerts, CI/CD integration, policy engine, private registry. That’s where tier value lives.

Upstream-First User Journey

Key insight: users will not arrive already using our images. They have existing workloads built on upstream Docker Hub images. The tool must meet them where they are.

The journey:

1. ARRIVE      — User has existing workloads on upstream images (e.g., docker.io/nginx:1.25)
2. DESCRIBE    — Tool helps them define their workload profile: which images, which versions, what context
3. ASSESS      — We show security posture of their UPSTREAM images using our facets and analysis
4. COMPARE     — "Here's your current state. Here's what changes with cascadeguard/nginx."
                  Side-by-side: CVE count, SBOM diff, signature status, rebuild freshness
5. TRY         — One-click swap: show the exact tag/digest to replace in their Dockerfile/manifest
6. ADOPT       — Pull cascadeguard/nginx. They now get the managed image benefits.
7. DEEPEN      — Register to save their workload profile, get alerts, scan own images

This upstream-first approach means:

  • We don’t assume adoption — we earn it by showing the delta
  • The free tool is valuable even if they never switch images (they get upstream analysis)
  • Conversion to our images is a natural outcome of seeing the comparison, not a marketing push

Trust-First Growth Funnel (Updated)

1. DISCOVER    — Pull cascadeguard/nginx from Docker Hub OR visit dashboard with upstream images.
2. EXPLORE     — Define workloads using upstream images. See security facets for any image. No account.
3. COMPARE     — See your upstream images vs our managed alternatives. Side-by-side delta.
4. PERSONALISE — Add more workloads, tune facets. Session-based, no account required.
5. SAVE        — "Want to keep this assessment?" Registration = saving work, not a toll booth.
6. DEEPEN      — Registered: scan own images, get email alerts, trends over time.
7. SCALE       — Paid: CI/CD, policy-as-code, private registry, auto-rebuild.

Tier Structure

Free (No Account)

  • CascadeGuard CLI tool (open source)
  • 10 managed hardened images on Docker Hub (public, no gate)
  • Public vulnerability dashboard for managed AND upstream images
  • Workload construction: define your workloads using upstream images, see security posture
  • Upstream vs managed comparison — see the delta for any of our 10 public images
  • “Try Scan” — one-shot assessment of any image (rate-limited, no history)
  • Session-based personalisation (not saved)

Registered (Free Account)

Trigger: “Save my assessment”

  • Everything in Free, persisted
  • Access to full managed image catalog (25+ images) — comparison and assessment only, not Docker Hub pulls
  • Scan up to 3 of your own images/month with saved results
  • Email alerts for new CVEs affecting your selected workloads (upstream or managed)
  • Historical trend data
  • Personalised security assessment report

Signup: email only. Company/role are optional enrichment later.

Starter ($49/mo)

  • Everything in Registered
  • Scan up to 20 own images/month
  • CI/CD integration (GitHub Actions, GitLab CI)
  • Policy-as-code: define allowed base images and vulnerability thresholds
  • Team access (up to 5 seats)

Pro ($199/mo)

  • Everything in Starter
  • Unlimited own-image scans
  • Private managed registry (Harbor on EKS) — we rebuild and sign your base images automatically
  • Automated rebuild triggers on upstream CVEs
  • SBOM generation and export (SPDX, CycloneDX)
  • Compliance reporting (SOC2, HIPAA artifact generation)
  • Team access (up to 20 seats)

Enterprise (Custom)

  • Unlimited everything
  • Dedicated registry namespace with SLA
  • Custom hardening profiles, SSO/SAML, dedicated support

Image Distribution Model

WhatWhereWho can access
10 managed hardened imagesDocker Hub cascadeguard/*Everyone (public)
Full catalog assessment (25+ images)CascadeGuard platformRegistered+
Own-image scan resultsCascadeGuard platformRegistered (3/mo), Starter (20/mo), Pro (unlimited)
Private rebuilt imagesHarbor on EKSPro and Enterprise only

Docker Hub Team plan required (~$9/mo) for 10 repos. Revisit count at 60-day mark based on pull analytics.

Usage Analytics (New)

We need per-image usage data to make informed decisions about expanding the Docker Hub set. Track:

  • Docker Hub pull counts per image (available via Docker Hub API)
  • Platform referral rate: which Docker Hub images drive the most dashboard visits
  • Conversion funnel by image type: base OS vs web server vs database — which converts best?
  • Upstream vs managed comparison engagement: which comparisons lead to adoption?

This data drives the 10→25 expansion decision and informs which additional images to prioritize.

Private Registry Hosting (Pro/Enterprise)

Harbor on EKS:

  • OSS, multi-tenant, S3-backed storage
  • Cosign + SBOM native support
  • Per-tenant namespace isolation
  • Already in our infra stack

What Ships First

  1. Docker Hub images (10) — push initial set public. Requires Docker Hub Team plan.
  2. Upstream workload analysis — let users define workloads with upstream images, show security posture.
  3. Upstream vs managed comparison — the “why switch” moment.
  4. Session-based personalisation — customise without registering.
  5. Registration + saved assessments — the “save your work” trigger.
  6. Starter tier — CI/CD and policy features.
  7. Pro tier — private registry via Harbor.

Remaining Decisions

  1. Docker Hub namespace — confirm cascadeguard/ availability.
  2. Initial 10 images — right selection for our audience? Adjust weighting?
  3. Pricing199 still right? More aggressive entry?
  4. Harbor vs ECR — CTO to validate.

Graph View