If there’s one thing guaranteed to grab attention in the computer security world, it’s announcing yourself without fully explaining what it is you plan to do.
This week, the Linux world got a taste of this enigmatic marketing ploy with the launch out of stealth of Berlin-based Linux security outfit Amutable.
While its purpose is only vaguely defined in the launch announcement, nobody could accuse it of lacking ambition: it plans to bring “determinism and verifiable integrity to Linux systems” to address the operating system’s security weaknesses.
Most tiny companies nobody has heard of would struggle to make the tactic work, but Amutable’s roster of founders is made up of several well-known Linux figures, headed by former Red Hat and Microsoft engineer Lennart Poettering as chief engineer.
Best known as the developer of the contentious but widely used Linux UEFI boot manager systemd, he has alongside him two other ex-Microsoft employees, Chris Kühl as CEO, and Christian Brauner as CTO.
A clue to Amutable’s plans lies in the announcement’s emphasis on some of its founders’ backgrounds in Kubernetes, runc, LXC, Incus, and containerd, all connected in different ways to the Linux container stack.
Verifiable integrity
Computing is full of security problems, and Linux is no exception to this rule, given convincing the protective free and open source software community of the wisdom of a radical new idea often turns out to be as big a challenge as the engineering itself.
While Linux distros on desktop computers remain a niche, the technology’s invisible domination of online platforms and cloud container orchestration tools makes it the most important operating system in the world.
That, not surprisingly, has made it a target for attacks, with cybercriminals taking advantage of vulnerabilities allowing privilege escalation, container escapes, and other exploits, as well as embedding backdoors in open source images across Linux’s complex supply chain.
Judging from Amutable’s self-declared vision to bring “determinism and verifiable integrity to Linux system,” the founders see plenty of room for improvement.
“Today’s infrastructure approaches security reactively. Software agents watch for vulnerabilities and intrusions; attackers refine their evasion. These defensive approaches are costly, brittle, and ineffective,” the company said.
“Amutable’s mission is to deliver verifiable integrity to Linux workloads everywhere. We look forward to working towards this goal with the broader Linux community.”
A cocktail of problems
The issue presents a rich cocktail of problems, the underlying causes of which are the difficulty of verifying that an image is as its developers intended and hasn’t been tampered with, while also maintaining a verifiable system state. Even existing security tools are struggling to keep up, with a 2025 proof-of-concept showing that it was possible to bypass leading Linux runtime security tools.
This is perhaps what Amutable’s founders mean when they describe the need to “replace heuristics with rigor” to achieve “verifiable integrity.” An image should be cryptographically verifiable in advance, including, ideally, a hash record of every stage of the boot process as well as running continuous checks against a signed file manifest.
In other words, instead of looking for a rogue file or suspicious behavior after the fact, the system would be able to verify itself deterministically.
The Introduction of this model of verifiability into Linux might have mitigated a range of incidents, including a 2023 attack where attackers exploited CVE-2022-42475 in Fortinet’s FortiOS SSL-VPN function to implant malware. Or a more recent vulnerability (CVE-2025-31133) in the runc Kubernetes container runtime that allowed attackers to break out of containers.
Perhaps the issue’s biggest impact was from the infamous backdoor supply chain hack affecting the XZ Utils data compression library that was uncovered by chance in 2024.
A common goal
“Security of the IT infrastructure is one of the top concerns for decades, and immutability, verification and full coverage of software supply chain throughout the lifecycle of an operating system or complete infrastructure are important contributions to achieve this,” noted Matthias G. Eckermann, director of product management, Linux at SUSE. He pointed out that SUSE is already delivering on this in multiple ways, including its certified Software Supply Chain and its Immutable OS with Transactional Updates.
“We are looking forward to hearing more from Amutable and collaborating with them on the common goal of improving resiliency and security of open-source infrastructure software,” he said.
Technology not the only problem
Right now, where this goes and how Amutable will make money is up in the air, but it will attract attention.
“Security teams are trained to trust signed packages and verified sources. When the supply chain itself is compromised (like the XZ Utils backdoor in 2024), traditional security training doesn’t prepare defenders for that scenario,” commented Chris Porter, CEO of certification company Training Camp. “If they [Amutable] can simplify verification, it reduces the expertise burden on security teams who currently lack deep Linux platform knowledge.”
However, technology isn’t the only problem. “As Linux dominates cloud infrastructure, enterprises need security professionals who understand boot integrity, code signing, and verification, skills that aren’t covered in most certification programs,” said Porter.