ROI calculator

A back-of-envelope number for your security review

Three inputs, three outputs, no telemetry. Drop in your team size and CI volume, get an estimate of incidents prevented, dependency-review time saved, and cache-hit cost savings. The arithmetic is shown — adjust inputs to match your stack.

Your team

DevelopersAnyone whose CI runs install commands.CI builds per monthAcross every repo, every branch.Average build time (minutes)From "kick off" to "green check."

What changes (annual estimates)

Supply-chain incidents prevented

0.8/ year

Based on Sonatype State of the Software Supply Chain — ~0.6 incidents per 100 developers per year, scaled by Chainsaw's install-path coverage.

Time saved on dependency review

1,300hours / year

25 min per developer per week, 40% cut once policy refuses on the install path. Adjust if your review cadence is different.

Cache-hit CI savings

$691/ year

7,200 CI minutes saved per month at $0.008/min (GitHub-hosted Linux range), 30% cache-hit baseline.

These are estimates from public benchmarks, not contractual claims. Want a number tuned to your stack?

Book a 30-min walkthrough

Assumptions and source notes

Incidents-per-100-devs-per-year: derived from Sonatype's State of the Software Supply Chain reports (2022-2024); we use a conservative 0.6 baseline. Real rates vary by ecosystem and dependency fan-out.
Chainsaw install-path coverage: 85%. Reflects coverage of npm, pip, Maven, Docker, NuGet, Cargo, Go, and 9 more ecosystems — not 100%, because adversary novelty always carries residual risk.
Review-time saved: 25 min per developer per week reading SCA reports, 40% cut after install-path enforcement. Both numbers are tuneable above; tweak inputs to match your team.
Cache savings: 30% cache-hit rate, $0.008/min CI-runtime estimate. Self-hosted runners and air-gapped deployments will diverge.
No telemetry leaves your browser — every number is computed client-side from the inputs above.

Where the numbers come from

Source notes

The calculator is a model, not a measurement. Every assumption it bakes in is listed below so you can argue with it.

Incident frequency

Sonatype State of the Software Supply Chain reports (2022-2024) tracked hundreds of thousands of malicious packages per year. We use a conservative 0.6 incidents per 100 developers per year baseline, scaled by Chainsaw's install-path coverage of 16 ecosystems.
Dependency-review time

Average 25 minutes per developer per week reading SCA reports, triaging false positives, and responding to PR-blocking comments. Install-path enforcement removes the upstream cause for ~40% of those tickets.
CI cost savings

Cached install bytes don't egress from upstream registries on repeat installs. We use a 30% cache-hit rate and a $0.008/min CI-runtime estimate (in the GitHub-hosted-Linux range). Self-hosted runners diverge — adjust the inputs.
What this isn't

A contractual SLA, a refund formula, or a price negotiation tool. The page is a back-of-envelope estimate so a buyer can sanity-check the order of magnitude before scheduling a 30-minute call.

Want a real number, not an estimate?

30 minutes, your CI metrics, our cost model

Bring last quarter's CI build count and SCA ticket volume. We'll plug them in, walk through the assumptions, and give you a refined number you can take into your security review.

Get started Talk to sales