Hardening Real Systems in Production

Practical, production-ready hardening guides for engineers who actually run systems. Every article includes complete configurations, quantified trade-offs, and documented failure modes.

What You’ll Find Here

• Linux / OS Hardening: sysctl, systemd sandboxing, SELinux, AppArmor, SSH, PAM, firewalls, audit logging
• Kubernetes / Platform: network policies, admission control, RBAC, seccomp, runtime detection, node hardening
• Network & API Security: NGINX, Envoy, HAProxy, Traefik, TLS, DNS, rate limiting, mTLS, WAF, gRPC, API gateways, request smuggling prevention
• CI/CD & Supply Chain: runner security, GitHub Actions, Helm chart signing, SLSA provenance, SBOM, dependency pinning, Terraform, container registry hardening, GitOps security, artifact integrity
• Observability & Detection: audit log pipelines, Prometheus security metrics, Falco, Tetragon, OpenTelemetry Collector hardening, incident response runbooks, dashboards
• AI & Security Landscape: threat model evolution, AI agent security, Claude for security detection, prompt injection, model serving hardening, LLM jailbreak defence, MCP server security, EU AI Act compliance, red teaming, AI governance pipelines
• Cross-Cutting Guides: PostgreSQL and Redis hardening, HashiCorp Vault, SPIFFE/SPIRE workload identity, zero-trust networking, post-quantum migration, threat modeling at scale, secrets rotation, incident response, compliance-as-code
• WebAssembly: Wasmtime hardening, Spin and wasmCloud on Kubernetes, WASI Preview 2 capabilities, Envoy and NGINX WASM plugins, edge runtimes (Cloudflare Workers, Fastly Compute), OCI signing, multi-tenancy, IoT and embedded deployment

How We Write

Every article follows the same structure:

1. Problem: what is the specific risk
2. Threat Model: who is the adversary, what do they want
3. Configuration: complete, copy-pasteable commands and configs
4. Expected Behaviour: how to verify it works
5. Trade-offs: what it costs (performance, complexity, compatibility)
6. Failure Modes: what breaks, how to detect it, how to fix it

No fluff. No “it depends” without constraints. No pseudocode.

Browse all articles