Articles

The June 2024 polyfill.io attack silently replaced CDN-hosted JavaScript for 100,000+ websites after a Chinese firm acquired the domain; Subresource Integrity hashes, Content Security Policy, and self-hosting eliminate the class of attack where a CDN becomes a malicious script delivery mechanism.

The April 2025 near-shutdown of MITRE's CVE program and NIST's NVD enrichment backlog exposed single points of failure in how organisations track vulnerabilities; a resilient CVE programme uses OSV, GitHub Advisory Database, VulnDB, and vendor feeds as primary sources rather than treating NVD as the sole source of truth.

Managing NGINX versions across a fleet that spans bare metal systemd services, VM deployments, and Kubernetes ingress controllers requires different tooling for each tier; a unified vulnerability tracking and patch orchestration process reduces the window between CVE disclosure and fleet-wide remediation.

Cyber insurance underwriters now mandate specific technical controls — privileged-access MFA, EDR on all endpoints, immutable backups, and a tested incident response plan; map each questionnaire requirement to a concrete implementation and maintain evidence for renewal.

AI-driven IR automation — auto-isolating hosts, revoking credentials, blocking IPs — has a large blast radius when wrong; define which actions can be fully automated versus requiring human approval, and build rollback procedures for every automated action.

GitHub Enterprise Cloud and Server organisation settings — SSO enforcement, IP allowlisting, audit log streaming, org-wide Actions policies, fork controls, and required status checks — form the governance layer that individual repository settings cannot compensate for.

Standard CSPM tools miss the AI/ML-specific attack surface — exposed model endpoints, unencrypted weights, over-permissioned training service accounts, and GPU node misconfigurations; extend your security posture scanning to cover the full AI workload lifecycle.

A structured process for responding to zero-day vulnerability disclosures — triage, impact assessment, compensating controls, and emergency patch deployment — that reduces the window between public disclosure and effective mitigation.

NIS2 became enforceable across EU member states in October 2024; map its incident reporting timelines, supply chain security obligations, and vulnerability disclosure requirements to concrete technical controls for platform and security teams.

PamDOORa, a PAM-based post-exploitation toolkit sold on cybercriminal forums in May 2026, persists by installing a malicious PAM module that intercepts every authentication event — capturing credentials, executing commands, and exfiltrating data silently. This article covers PAM module signing with IMA/EVM, file integrity monitoring for PAM configuration, detecting unexpected PAM modules at runtime, and hardening the PAM stack against backdoor insertion.

Strict input schema validation at the API gateway layer rejects malformed requests, oversized payloads, and unexpected fields before they reach business logic. The mass assignment vulnerability — where an ORM automatically maps request fields to model attributes — is eliminated when the gateway strips undeclared fields. OpenAPI spec-based validation at Envoy or Kong closes both attack surfaces.

IAM Roles for Service Accounts (IRSA) lets Kubernetes pods assume AWS IAM roles without static credentials, using the EKS OIDC provider to federate service account tokens. This article covers the IRSA token flow, configuring the EKS OIDC provider, creating IAM roles with trust policies, annotating service accounts, pod identity association (the newer IRSA replacement), and least-privilege IAM scoping for common workloads.

Backstage's extensible plugin architecture and broad infrastructure integration make it a powerful developer portal — and a high-value target. Misconfigured Backstage deployments have exposed internal service catalogs, Kubernetes credentials, and cloud provider API keys. This article covers authentication hardening, plugin security review, network exposure reduction, secrets management, and Backstage deployment hardening for production.

A container patching policy without enforcement is a suggestion. This article covers defining severity-to-SLA tiers for container vulnerabilities (Critical: 24h, High: 7d, Medium: 30d), using Copa as the rapid-response patching tool, enforcing SLA compliance with Kyverno admission policies that block images breaching their patch window, and handling exceptions without creating permanent policy gaps.

ContainerSSH delegates authentication and container configuration to external webhooks — making the webhook the most security-critical component of a ContainerSSH deployment. A compromised or misconfigured webhook can grant any user access to any container config. This article covers the ContainerSSH webhook protocol, securing the webhook endpoint with mTLS, integrating with OIDC and LDAP for authentication, and designing per-user container configs that enforce least privilege.

OAuth2 access tokens are typically valid for minutes to hours after issuance, creating a window where a compromised or policy-violating session continues to have access. CAEP (Continuous Access Evaluation Profile) and RISC (Risk and Incident Sharing and Coordination) enable real-time session revocation signals between IDPs and relying parties. This article covers the SSE framework, CAEP event types, implementing a CAEP receiver, and integrating with Okta, Azure AD, and custom access evaluation engines.

Multi-cloud architectures need workload identity that spans cloud boundaries without static credentials. OIDC federation enables a workload authenticated in one cloud (or Kubernetes) to exchange its identity token for credentials in another cloud. This article covers the cross-cloud federation patterns, AWS STS → GCP WIF chain, Kubernetes OIDC as universal identity anchor, and the security controls needed to prevent credential abuse across trust boundaries.

Dependency confusion exploits the package resolution order in npm, pip, and Maven: if a private internal package name exists in a public registry with a higher version number, the build tool fetches the malicious public version. This article covers the attack mechanics, real-world incidents, and the technical countermeasures — scoped packages, registry pinning, private registry mirrors, and SLSA-based verification.

Device posture verification checks that the device making an access request meets security requirements — disk encryption enabled, OS patched, endpoint agent running, certificate issued by corporate PKI. This article covers device attestation using TPM-bound certificates, integrating posture signals into access policy via CAEP/SSE, MDM attestation APIs (Jamf, Intune), and Linux endpoint posture without MDM.

GCP Workload Identity Federation allows external identities — GitHub Actions, AWS EC2, Azure AD, Kubernetes service accounts — to access GCP resources without storing a service account key. This article covers the federation configuration, attribute mapping and conditions, integrating GitHub Actions OIDC with GCP, GKE Workload Identity for pod-to-GCP access, and auditing federated identity usage in Cloud Audit Logs.

IAM roles accumulate permissions over time through copy-paste, role inheritance, and optimistic provisioning. Automating least-privilege enforcement requires analysing actual access patterns, generating minimum-permission policies, and continuously detecting permission drift. This article covers AWS IAM Access Analyzer, GCP Policy Analyzer, Azure Permission Analysis, and building a continuous IAM right-sizing pipeline.

Internal Developer Platforms (IDPs) give developers self-service access to infrastructure — which means the IDP itself becomes a high-value attack target. A compromised IDP can provision resources in any environment, expose secrets, and grant excessive cloud permissions. This article covers IDP threat modelling, Backstage security hardening, service catalog integrity, and enforcing security guardrails on self-service provisioning.

Most Kubernetes privilege escalation chains don't require vulnerabilities — they exploit legitimate RBAC capabilities. The ability to create pods grants access to any service account in the namespace. The ability to patch deployments allows injecting a privileged init container. The ability to create roles and bind them allows self-granting arbitrary permissions. This article maps six specific escalation chains and the admission controls that block each one.

The OpenSSF Scorecard automates security assessment of open source projects across 20+ checks: branch protection, CI test coverage, dependency pinning, signed releases, SAST, vulnerability disclosure. This article covers running Scorecard in CI to gate dependency updates, interpreting check results, integrating Scorecard with Dependency-Track and deps.dev, and building an internal dependency risk register.

Platform teams need to give developers access to secrets (database credentials, API keys, certificates) without developers ever seeing the raw secret values or storing them in code. This article covers secrets injection patterns for Kubernetes (External Secrets Operator, Vault Agent, CSI driver), CI/CD secrets injection (OIDC-based Vault auth, GitHub Actions secrets), and the governance model for secret lifecycle ownership.

Policy as code scales security rules across thousands of services and clusters by expressing security intent as machine-readable, testable, version-controlled policies. This article covers structuring OPA policy libraries for large organisations, Rego unit testing with opa test, policy bundling and distribution with OPA bundles, CI/CD integration for policy validation, and managing policy exceptions without exceptions-by-default.

When vulnerability scanners report hundreds of CVEs in container images, most are not exploitable in your specific deployment context. VEX (Vulnerability Exploitability eXchange) documents let vendors and operators assert exploitability status per CVE per product, reducing false-positive noise by orders of magnitude. This article covers VEX document formats (CycloneDX VEX, OpenVEX), creating and consuming VEX documents, integrating VEX into Grype and OWASP Dependency-Track, and the VEX lifecycle.

Rotating a database password without downtime requires dual active credentials during the rotation window: the old password stays valid while applications switch to the new one. AWS Secrets Manager's rotation Lambda and Vault's database secrets engine both implement this pattern. This article implements zero-downtime rotation for PostgreSQL, covers rollback when the new credential fails, and shows how to detect rotation failures before they cause outages.

SOCKS5, DNS-over-HTTPS, ICMP tunnelling, and HTTP/S CONNECT proxies are legitimate protocols used to route malicious traffic through network controls. C2 frameworks (Cobalt Strike, Havoc, Sliver) all support these transport methods. This article maps the traffic signatures, anomaly patterns, and detection techniques that identify covert channels without breaking legitimate protocol use.

Time-of-check to time-of-use (TOCTOU) vulnerabilities arise when a security check and the subsequent operation act on state that can change between the two — allowing a racing thread or process to substitute a different object after the check passes. This article covers TOCTOU in filesystems (symlink races), kernel copy operations, Kubernetes admission control, and application-level check-then-act patterns, with concrete mitigations for each layer.

Malicious packages with names one keystroke away from popular libraries have exfiltrated credentials, installed backdoors, and cryptomined on developer machines. This article covers the mechanics of typosquatting attacks on npm, PyPI, and RubyGems; automated detection using similarity scoring, Socket.dev, and GuardDog; enforcing package allowlists in CI; and runtime behavioural monitoring to catch post-install scripts.

Zero trust replaces perimeter security with continuous verification of every request regardless of network location. This article covers the NIST SP 800-207 zero trust model, the five pillars (identity, device, network, application, data), BeyondCorp's access proxy pattern, mapping zero trust controls to Kubernetes workloads, and a phased migration plan from VPN-based to zero-trust access.

Traditional SBOM and dependency scanning assume declared dependencies with known provenance. AI-generated code inlines functionality previously provided by a named, versioned, licensed dependency — invisible to scanners, unlicensed, unmaintained, and not associated with any CVE feed. The log4shell of AI-generated code won't appear in your dependency tree. This article covers detection, inventory, and governance controls.

AI-driven bots defeat every individual detection technique. A programme-level bot management strategy layers scoring tiers (allow/challenge/block), replaces CAPTCHAs with WebAuthn step-up authentication, maintains an explicit allowlist for legitimate automation, and selects vendors on signal diversity rather than detection rate. This article provides the architecture and policy framework.

Real-time voice synthesis (ElevenLabs, Resemble AI, RVC) now produces convincing voice clones in under 3 seconds of sample audio. Attackers use these to bypass helpdesk identity verification, defeat voice-based MFA, and impersonate executives in authorisation flows. The defence requires liveness detection, out-of-band verification, and policy changes that don't trust voice as a sole authenticator.

Practical technical implementation of EU CRA obligations: SBOMs, vulnerability handling, conformity assessment, and security update commitments for software vendors.

CVE-2019-5736 (runc), CVE-2022-0847 (Dirty Pipe), and CVE-2022-1015 (Netfilter) each demonstrated that containers sharing a Linux kernel cannot be isolated by Linux itself. gVisor reimplements kernel syscalls in userspace; Kata Containers runs each pod in a separate microVM. Both exist because the threat model changed.

The MCP 2025 specification defines an OAuth 2.0 authorization framework for delegated agent access to tools and resources. An agent acting on behalf of a user should only have access to the tools that user explicitly authorised, with tokens scoped to specific resources and short lifetimes. This article implements the MCP OAuth 2.0 spec with real examples and maps the authorisation design decisions that prevent agents from accumulating ambient authority.

NIST finalised ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) in August 2024. This guide covers what each standard provides, when to use each, and how to implement them with the Open Quantum Safe liboqs library, the Rust pqcrypto crate, and integration patterns for existing cryptographic infrastructure — distinct from the high-level migration strategy in our post-quantum migration guide.

An open source project without a security policy forces researchers to choose between silent disclosure and public exploitation — neither helps your users. A SECURITY.md, private reporting channel, CVE workflow, and clear disclosure timeline turns security reports into trust-building opportunities. This guide builds a complete security programme for open source project maintainers, from first report to post-disclosure retrospective.

Passkeys (synced WebAuthn credentials) are now the de-facto MFA replacement at scale: Microsoft Entra, Okta, Google Workspace, and Apple Business Manager all support enterprise passkey rollout in 2026. The interesting decisions are about attestation, account recovery, and Bring-Your-Own-Device boundaries — get them wrong and you have weaker security than the password+TOTP you replaced.

Seccomp doesn't fix kernel bugs — it prevents reaching them. Blocking splice() closes Dirty Pipe. Blocking perf_event_open() closes CVE-2023-2235. Blocking socket(AF_NETLINK) closes the nftables CVE class. Blocking bpf() closes the eBPF verifier CVE class. One strace-based profiling session plus four blocked syscalls closes the most exploited Linux kernel CVE categories for container workloads.

Running four separate security scanning tools produces four separate finding lists with duplicates, different severity scales, and no unified remediation tracking. A mature AppSec programme correlates findings across tools, deduplicates across the same vulnerability found by multiple scanners, normalises severity, and tracks remediation through a single workflow. This guide builds that programme using DefectDojo and open-source tooling.

API security vulnerabilities — broken object-level authorisation, mass assignment, injection — are best caught by automated testing against a running service. This guide covers OWASP API Top 10 coverage with DAST tools, property-based fuzzing with Schemathesis, authentication bypass testing, and integrating API security tests into CI/CD.

Audit logs that aren't tamper-resistant, complete, and correlated are useless for incident response and compliance. Designing audit logging requires defining what events to capture, ensuring log integrity, centralising across services, and enabling efficient querying. This guide covers event schema design, tamper protection, correlation, and compliance requirements.

Ransomware groups now target backup infrastructure before encrypting production data. Secure backups require immutability, isolation from production credentials, encryption with offline keys, and regular recovery testing. This guide covers the 3-2-1-1-0 backup strategy, immutable storage, backup authentication hardening, and recovery testing.

Certificate expiry causing outages, forgotten self-signed certs in production, and revocation that nobody checks are symptoms of poor certificate lifecycle management. This guide covers building a certificate inventory, automating renewal with ACME and cert-manager, revocation infrastructure, and monitoring across internal PKI and public CA certs.

Container security requires controls at every SDLC stage — secure base images, Dockerfile linting, vulnerability scanning in CI, image signing, admission control, and runtime monitoring in production. This guide maps security controls to SDLC phases and provides an integrated view of container security for teams building and operating containerised applications.

Systems that hardcode SHA-1, RSA-2048, or AES-128 cannot be migrated without breaking changes. Cryptographic agility — algorithm negotiation, abstracted crypto interfaces, versioned key material — allows migrating to post-quantum algorithms, replacing deprecated ciphers, and responding to cryptographic breaks without re-architecting the system.

Flat key management — one key for everything — creates catastrophic exposure when compromised. Key hierarchies limit blast radius: a compromised data key affects one dataset; a compromised root key is catastrophic. This guide covers key hierarchy design, envelope encryption, key derivation functions, hardware root of trust, and managing key rotation without service disruption.

Without a data classification scheme, engineers cannot make informed decisions about encryption strength, access control granularity, or retention periods. This guide covers defining a practical classification taxonomy, tagging data at source, enforcing handling controls per class, and operationalising classification through tooling.

The EU Digital Operational Resilience Act (DORA) is in force from January 2025 for banks, insurers, investment firms, and their critical ICT providers. DORA mandates specific technical capabilities: ICT risk management frameworks, incident classification and reporting, TLPT penetration testing, and contractual controls on ICT third-party providers. This guide maps DORA Articles to concrete technical controls.

CVE-2026-5747 is an out-of-bounds write in Firecracker's virtio PCI transport — demonstrating that minimal Rust VMs still carry device emulation attack surface. Compare isolation models and understand why eliminating device emulation, not minimising it, is the architectural response.

Manual hardening checklists don't scale beyond a few dozen systems. Automated baselines codify security configuration as policy, enforce it at provisioning, detect drift in production, and generate compliance evidence. This guide covers CIS Benchmark automation with Ansible, InSpec/OSQuery for continuous compliance, and cloud-native configuration enforcement.

Most organisations have ad-hoc IAM — permissions granted manually, never reviewed, and accumulated over years. A structured IAM maturity model provides a roadmap from reactive, manual IAM to automated, continuously verified least-privilege. This guide covers the five maturity levels, assessment methodology, and a prioritised improvement roadmap.

Federating identity across organisational boundaries introduces trust chains, attribute mapping risks, and cross-domain privilege escalation paths. This guide covers SAML and OIDC federation security, IdP trust hierarchy design, attribute mapping hardening, preventing privilege escalation via federation, and monitoring federated access.

Multi-tenant systems must prevent tenant A from accessing tenant B's data, configurations, or compute resources. This guide covers tenancy models (silo vs pool vs bridge), data isolation strategies, request-path tenant context enforcement, cross-tenant vulnerability classes (IDOR, confused deputy, shared caching), and testing isolation guarantees.

A flat network where every host can reach every other host is a lateral movement enabler. Defence-in-depth network design uses zones, segmentation, inspection, and access controls to contain breaches and limit their blast radius. This guide covers zone-based architecture, modern cloud network design, east-west traffic inspection, and mapping controls to threat scenarios.

CVE-2026-31790 leaks heap bytes when OpenSSL's RSA key encapsulation fails on a malicious public key. Affects applications using RSASVE for hybrid key exchange. Patch OpenSSL 3.x and audit KEM usage to identify exposure.

Admins who check email and browse the web on the same device they use for production access expose privileged credentials to phishing, malware, and browser exploitation. Privileged Access Workstations provide a dedicated, hardened, internet-isolated environment for administrative operations. This guide covers PAW design, hardening, jump server patterns, and cloud-native alternatives.

Ad-hoc permission assignments accumulate into unmaintainable, over-privileged systems. Structured RBAC design with role hierarchies, functional decomposition, and regular reviews prevents privilege creep. This guide covers RBAC modelling, temporal access patterns, policy-as-code enforcement, and common design anti-patterns.

Secrets accumulate in git history, CI environment variables, container images, configuration files, and employee laptops. Secret sprawl creates persistent credential exposure that static scanning misses. This guide covers systematic secret discovery across all attack surfaces, prioritised remediation, and architectural changes to eliminate sprawl at the source.

Security is architecturally expensive to retrofit but cheap to design in. Core patterns — defence-in-depth, least privilege, fail-safe defaults, separation of duties, complete mediation — prevent entire vulnerability classes when applied consistently. This guide covers each principle with concrete implementation examples and common anti-patterns.

Manual security operations don't scale. Automating alert triage, enrichment, and response reduces analyst fatigue and improves response times. This guide covers SOAR platform patterns, building automation playbooks for common scenarios, human-in-the-loop design, and measuring automation effectiveness.

A central security team cannot review every PR and attend every design review. Security champions — engineers with security interest and training embedded in product teams — scale security knowledge across the organisation. This guide covers champion selection, curriculum design, tooling support, and measuring programme effectiveness.

Security debt accumulates when known vulnerabilities are deferred, security controls are skipped under time pressure, and deprecated libraries linger. Unmanaged security debt grows faster than it's resolved. This guide covers security debt taxonomy, risk-based prioritisation, tracking in engineering systems, and making the business case for security remediation.

Generic security awareness training doesn't teach developers to write secure code. Effective developer security education is contextual, hands-on, and integrated into the development workflow. This guide covers threat modelling workshops, language-specific secure coding training, capture-the-flag programmes, and measuring training effectiveness.

Poor incident communication delays containment, erodes trust, and creates regulatory exposure. Effective communication requires pre-approved channels, role-specific messaging, and legal-reviewed templates. This guide covers internal escalation paths, customer notification obligations, regulatory reporting timelines, and avoiding common communication failures.

Security initiatives without governance — executive sponsorship, defined policies, measurable outcomes, and clear accountability — stall or regress. Effective security governance translates technical risk into business language, establishes accountability, and creates the conditions for sustained security improvement. This guide covers security policy frameworks, metrics programmes, board reporting, and RACI design.

Service accounts are the most common vector for credential theft and privilege escalation — long-lived, over-privileged, and rarely reviewed. This guide covers least-privilege service account design, OIDC workload identity replacing static credentials, detecting unused accounts, and audit strategies for non-human identity hygiene.

Employees using unsanctioned SaaS, spinning up personal cloud accounts, and running unapproved services create invisible attack surface that falls outside security controls and compliance scope. This guide covers DNS-based SaaS discovery, cloud account enumeration, certificate transparency monitoring, and governing shadow IT without blocking productivity.

Modern software is 80% third-party components. Supply chain attacks — compromised dependencies, malicious maintainer accounts, tampered build systems — are now the preferred vector for sophisticated attackers. This guide covers building a supply chain risk programme: inventory, risk scoring, controls, monitoring, and incident response.

Raw threat intelligence feeds without a consumption process generate noise, not decisions. A mature threat intelligence programme ingests indicators, enriches them with context, maps them to your environment, and produces prioritised actions. This guide covers intelligence types, source selection, MISP deployment, and integrating threat intel into detection and vulnerability management.

Axios 1.14.1 passed every npm integrity check — the malicious tarball had a correct SHA-512 hash because it was legitimately published. Understand what npm integrity protects against, where it fails, and how provenance attestations close the gap.

CVE-2025-15467 is a CVSS 9.8 stack overflow in OpenSSL's CMS parser — the first RCE-class OpenSSL flaw since 2022, discovered entirely by AI. Patch OpenSSL 3.x across your estate, identify CMS-parsing applications, and understand what AI-driven vulnerability discovery means for your patch cadence.

CVE-2026-39892 causes buffer overflow in Python's cryptography library when Hash.update() receives a non-contiguous buffer (e.g., from a strided slice). Safe Python code triggers unsafe C behaviour. Upgrade to 46.0.7 and audit code paths that pass sliced arrays to cryptographic APIs.

Harden Authentik against CVE-2026-25227 RCE via delegated property mapping execution and CVE-2026-25748 forward auth bypass with Traefik/Caddy—and monitor Authentik's public-commit-before-advisory pattern.

Harden Go-based PKI infrastructure against CVE-2026-33810 x509 name-constraint bypass and node-forge CVE-2026-33896, and track Go runtime crypto fixes before they reach your toolchain.

The Axios attacker needed only one thing: a stolen npm token. The ecosystem trust model concentrates enormous risk in individual maintainer accounts. Harden yours with FIDO2, endpoint security, and token hygiene — and reduce consumer exposure with lockfiles and provenance verification.

CISA prioritises integrity over confidentiality in OT. Implement HMAC-signed historian records, digitally signed PLC project exports, file integrity monitoring on HMI workstations, and OPC-UA Sign mode for latency-sensitive control loops.

CISA's OT Zero Trust guidance highlights device identity as the hardest pillar in OT. Build a PKI for OT non-person entities, separate AD forests for OT, and implement SPIFFE/SPIRE where devices support it — with compensating controls for legacy PLCs.

CVE-2026-41676 causes heap overflow from safe Rust code when rust-openssl calls EVP_PKEY_derive on OpenSSL 1.1.x. Learn how this breaks Rust's safety guarantees, how to detect affected crates, and how to harden your Rust PKI stack.

Harden Keycloak against the April-May 2026 multi-CVE batch—TOCTOU token reuse, SSRF, privilege escalation—and ZITADEL's CVE-2026-29191 critical XSS chain, with upstream advisory monitoring.

Map NIST Cybersecurity Framework 2.0's six functions—Govern, Identify, Protect, Detect, Respond, Recover—to concrete technical controls and measurable outcomes for production environments.

Use OpenSSF Scorecard to evaluate whether open source dependencies follow security best practices, enforce minimum scores in CI, and identify projects that ship silent CVE fixes via public PRs.

Harden Internal Developer Platforms built on Backstage, Port, or Cortex by securing plugin trust models, service catalog secrets, scaffolding templates, and open source IDP CVE tracking.

Harden Splunk Enterprise against CVE-2026-20204 arbitrary file upload RCE (SVD-2026-0403), privilege abuse in app management, and the closed-source advisory monitoring challenge.

Harden Vault's unauthenticated /sys/* endpoints against CVE-2026-5807-class denial-of-service, restrict the root token generation surface, and track HCSEC advisories before they reach your deployment.

A bug bounty program extends vulnerability discovery beyond internal security teams by paying external researchers for valid findings. A poorly designed program creates legal risk, researcher frustration, and low signal-to-noise. Structured scope, clear policies, and fast triage convert researcher effort into genuine risk reduction.

Implement fine-grained, auditable authorization using Amazon Cedar's policy language and AWS Verified Permissions, with formal verification and policy-as-data patterns.

Cloud DLP stops sensitive data from leaving controlled boundaries through misconfigured storage, overpermissive APIs, or exfiltration. Effective cloud DLP combines data classification, storage access controls, egress network policies, and detection of anomalous data movement.

A maturity model provides a structured way to assess where a security programme is today, identify the highest-value next steps, and measure progress over time. Without measurement, security programmes grow by adding tools and headcount without improving outcomes.

A penetration test is only as valuable as its scope and findings management. Poorly scoped tests miss critical attack paths; poorly managed findings sit in a PDF report and never get remediated. Structured scoping, execution phases, and a remediation workflow convert pentest findings into actual risk reduction.

A vulnerability management program reduces exploitable attack surface by ensuring discovered vulnerabilities are assessed, prioritised by real risk, assigned to owners, and remediated within defined SLAs. Scanning without a remediation workflow is security theatre.

CSPM tools continuously compare live cloud configuration against a security baseline. Without them, misconfigurations — public S3 buckets, overpermissive security groups, disabled MFA — persist undetected for months.

An unprotected Kafka cluster is an open message bus: any client can produce or consume any topic. SASL authentication, ACLs, inter-broker TLS, and Schema Registry access controls close these gaps.

Most security teams measure what is easy to count, not what matters. A metrics program built on MTTD, MTTR, coverage, and risk reduction connects security activity to business outcomes executives can act on.

Third-party vendors extend your attack surface without extending your control. A structured assessment program — questionnaires, continuous monitoring, contractual SLAs, and offboarding procedures — limits the blast radius of vendor compromise.

API keys are the most-leaked credential type. Treating their lifecycle as a tracked property — issued, scoped, rotated, revoked — is the difference between hygiene and incident.

HSMs provide tamper-resistant key storage and cryptographic operations. Integrating CloudHSM, SoftHSM, or Vault with an HSM backend removes private keys from application memory and operating system reach.

OAuth 2.0 and OIDC implementations fail in predictable ways: missing PKCE, broad scopes, long-lived tokens, and JWT validation shortcuts. Each is a straight path to account takeover.

Static SSH keys + bastion hosts is the 1990s model. Teleport / Boundary broker access dynamically, record sessions, and integrate with identity. The 2026 default.

Tabletops without follow-through are theatre. Chaos security drills make findings unavoidable. Both, run together, build organizational muscle for real incidents.

Rotation isn't just minting a new secret. It's a sequenced operation across producers, consumers, and stale-credential drains. Most outages happen during rotation.

Cryptographic workload identity that survives across Kubernetes clusters, cloud accounts, and on-prem hosts. SPIFFE replaces shared secrets with attestation.

Threat modeling does not scale by adding more whiteboard sessions. Codify the methodology, embed in design review, and treat threat models like code.

NIST finalized ML-KEM and ML-DSA in 2024. Harvest-now-decrypt-later is already happening. A migration plan that covers TLS, SSH, artifact signing, and secrets is now tractable.

Nearly 80% of intrusion detections in 2026 are malware-free. Attackers steal valid credentials, hijack session tokens, exploit federated access, and bypass weak MFA to move laterally without triggering traditional malware detection. This article covers the defensive controls for identity-based attacks.

Ransomware has evolved from simple encryption to multi-stage extortion: data theft, encryption, public exposure threats, and DDoS. Ransomware-as-a-Service groups operate with dedicated negotiation teams and support desks. This article covers the defensive architecture that reduces blast radius, detects early-stage ransomware behaviour, and enables recovery without paying.

"Are we more secure than last month?" is a question most teams cannot answer. Security tools produce individual outputs: kube-bench returns a CIS score...

Manual compliance audits are point-in-time snapshots that are outdated before the report is written.

PostgreSQL defaults prioritise developer convenience over security. A stock installation on most distributions allows local trust authentication (any.

A fresh Kubernetes cluster (whether bootstrapped with kubeadm, k3s, or provisioned by a managed provider) ships with defaults optimised for getting...

During an active security incident, hardening is reactive: isolate the compromised system, contain the blast radius, preserve evidence, and stop the..

When your security infrastructure fails, you are flying blind. If Vault is down, applications cannot retrieve secrets and new deployments stall.

Self-hosted Prometheus consumes 500GB+ storage within 6 months for a 20-node Kubernetes cluster.

Message brokers carry some of the most sensitive data in any architecture, payment events, user actions, system commands, PII in event streams.

Running infrastructure across multiple cloud providers means maintaining consistent security controls across fundamentally different systems.

Perimeter security assumes the internal network is safe. It is not. A single compromised pod, a stolen VPN credential, or a malicious insider gives...

A team of 1-5 engineers cannot implement 100 hardening controls simultaneously. Most hardening guides present controls as equally important, leaving...

Self-managed Kubernetes clusters (kubeadm, k3s, kops) consume 8-16 hours per month of engineering time for control plane maintenance: etcd backups,...

Redis defaults prioritise developer convenience: no authentication, no TLS, all 200+ commands available, and binding to all interfaces.

Argo Workflows evaluates template expressions using user-supplied workflow parameters; without input validation, an attacker with workflow submission access can inject expressions that execute arbitrary commands in the workflow executor, exfiltrate secrets, or pivot to other cluster workloads.

CVSS severity alone cannot prioritize patching when hundreds of CVEs affect your Kubernetes images; the Exploit Prediction Scoring System (EPSS) provides a probability-of-exploitation score that focuses remediation on the CVEs most likely to be actively exploited in the next 30 days.

ingress-nginx has had multiple critical CVEs including annotation injection attacks; manual Helm chart version management leaves clusters exposed for weeks; automate detection of new releases, staged canary rollout, and rollback to reduce patch lag to hours.

Mutating webhook sidecar injection — used by Istio, Dapr, and custom platform injectors — can be abused to inject rogue containers or modify existing ones; audit injection logic, enforce webhook TLS, restrict injection to approved namespaces, and validate injector output.

AI assistants generating Kubernetes Deployment, RBAC, and Service YAML reproduce predictable misconfigurations — privileged containers, missing securityContext, broad ClusterRoleBindings; validate with Polaris, kube-score, and Kyverno before admission.

The Secrets Store CSI Driver mounts external secrets from AWS, Azure, GCP, and Vault into pods via provider plugins; its sync-to-Kubernetes-Secret behaviour, RBAC surface, and provider pod permissions are common misconfiguration sources that expose secrets beyond their intended scope.

AI training jobs on Kubernetes have access to large GPU nodes, model weights, and training datasets; isolate them from production namespaces with dedicated node pools, network policy, and RBAC to prevent cross-job data leakage and lateral movement.

RBAC permissions on pods/exec, pods/portforward, pods/log, and nodes/proxy are functionally equivalent to cluster compromise yet routinely over-provisioned; audit who holds these grants and replace them with time-limited JIT access.

Extension API servers registered via API aggregation can intercept credentials, bypass RBAC, and escalate to cluster-admin; harden the aggregation layer with mutual TLS, bounded permissions, and routing controls.

When a critical kernel LPE like Dirty Frag (CVE-2026-43284/43500) drops with a public PoC, the window between disclosure and exploitation may be hours. Kubernetes clusters running hundreds of nodes need a systematic, automated approach to kernel patching — identifying vulnerable nodes, draining workloads safely, applying patches, and verifying remediation — without days of manual work.

Azure Workload Identity replaces pod identity (now deprecated) and Managed Identity limitations in AKS by using OIDC federation between the AKS OIDC issuer and Azure AD. Kubernetes pods receive projected service account tokens that can be exchanged for Azure AD access tokens without any stored credentials. This article covers enabling the OIDC issuer on AKS, creating federated credentials, configuring workload identity in pods, and auditing with Azure Monitor.

Signing container images is only useful if admission control verifies the signature before the image runs. This article covers the end-to-end enforcement pipeline: signing images with cosign in CI, verifying signatures with Kyverno ImageVerify and OPA Gatekeeper, configuring signature transparency with Rekor, handling multi-architecture image indexes, and the key distribution problem in enterprise environments.

ContainerSSH's Kubernetes backend launches a dedicated Pod for each SSH connection, giving each session its own process namespace, filesystem, and network identity. The security of this model depends entirely on the Pod spec returned by the config webhook: a misconfigured PodSecurityContext, missing NetworkPolicy, or overly broad RBAC for the ContainerSSH service account can turn an isolation mechanism into a cluster escape path.

Running Copa (Copacetic) as a Kubernetes CronJob continuously scans images in a registry and patches those above a vulnerability severity threshold, while Kyverno admission policies block unpatched images from being scheduled. Together they create a closed-loop container patching system that operates independently of application teams and upstream image publishers.

ETCd holds every Kubernetes secret, service account token, and config in base64-encoded plaintext. A direct etcd connection bypasses all RBAC — there are no Kubernetes access controls between an etcd client and the data. Attackers who reach etcd (via node compromise, misconfigured backup access, or exposed port) can read every secret and forge service account tokens. This article covers the attack paths, what data is exposed, and how to detect and recover.

The External Secrets Operator (ESO) reconciles secrets from AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, and HashiCorp Vault into Kubernetes Secrets on a defined refresh interval. The Kubernetes Secret is a cache — the authoritative copy lives in the cloud secret store. This article covers ESO's security model, ClusterSecretStore RBAC scoping, detecting sync failures before they become outages, and what happens when cloud credentials are compromised.

Broken Object-Level Authorisation (OWASP API1) and Broken Function-Level Authorisation (OWASP API5) are the top two API vulnerability classes. In Kubernetes multi-tenant deployments, namespace isolation creates a false sense of per-tenant authorisation — but the application inside the namespace still needs to enforce that Tenant A cannot access Tenant B's resources. This article implements OPA and Kyverno-based enforcement patterns for request-level authorisation.

Kubernetes service account tokens are the primary credential for pod-to-API-server communication and OIDC federation. Long-lived auto-mounted tokens without audience or expiry binding are a persistent source of credential theft risk. This article covers projected service account tokens (TokenRequest API), disabling automounting, audience-bound tokens for OIDC, detecting token theft with audit logs, and migrating from legacy tokens.

Kyverno's admission webhook intercepts every pod creation, secret write, and RBAC change in the cluster. Compromising the Kyverno controller — via a CVE in the controller binary, a misconfigured webhook, or a supply chain attack on the Kyverno image — breaks all policy enforcement silently. This article hardens the Kyverno deployment itself and implements monitoring that detects when Kyverno is bypassed or degraded.

Overlayfs implements copy-on-write by copying files from the lower (image) layer to the upper (writable) layer on first write. Races in this writeback path and privilege copy semantics have enabled container escapes — CVE-2023-0386 allowed setuid files to be copied with preserved capabilities outside a user namespace. This article covers the overlayfs CoW mechanism, the escape chain, kernel patches, and Kubernetes-level mitigations.

Sigstore's keyless signing model uses short-lived certificates bound to OIDC identity, recorded in Rekor's transparency log, eliminating long-lived private keys from the supply chain. This article covers cosign keyless signing in GitHub Actions, Rekor log integration, verifying image signatures in admission controllers, and enforcing signature policy with Kyverno and OPA Gatekeeper.

SPIFFE (Secure Production Identity Framework for Everyone) defines a universal workload identity standard using X.509 SVIDs and JWT-SVIDs. SPIRE implements SPIFFE with a Kubernetes-native attestation model, automatic cert rotation, and federation across trust domains. This article covers deploying SPIRE on Kubernetes, configuring workload attestation, federating across clusters, and integrating SPIFFE identity with Envoy and Istio.

An LLM can generate a Kubernetes operator with reconciliation logic, CRD definitions, and RBAC in under an hour. That operator has no maintainer, no security advisory channel, no CVE disclosure process, and no patch history. When a vulnerability is found — in its RBAC grants, its webhook handling, or its dependency chain — there is nobody to call and no patch coming.

The default CodeQL query packs don't cover Kubernetes-specific vulnerabilities — RBAC wildcard rules in Go controller code, unencrypted Kubernetes Secrets in Helm values, privileged container specs baked into application manifests. This guide writes custom CodeQL queries for Kubernetes controllers, operator code, and Helm chart generation that surface misconfigurations at the source code level.

A crafted OCI image config with an empty Target.Path in a volume mount definition caused containerd to bind-mount the host root filesystem into the container. Every pod on a vulnerable node running any image from an untrusted registry had read access to the complete host filesystem — including kubelet credentials, cloud instance metadata, and secrets from co-located pods.

OpenAI Operator, Claude Computer Use, Microsoft Copilot Browser, and open-source browser-automation agents generate HTTP traffic that passes every CAPTCHA and mimics human timing. Standard WAF rules and bot score APIs fail. Envoy's ext_authz filter enables a multi-signal scoring pipeline at ingress — before requests reach application pods — combining TLS fingerprint, request graph, and inter-request timing signals.

Securing the GA DRA API in Kubernetes 1.32+: ResourceClaim RBAC, driver trust boundaries, GPU/TPU isolation, and multi-tenant DRA threat model.

In-place pod resize went GA in Kubernetes 1.33. The new resize subresource changes how resource limits are enforced at runtime — admission webhooks must update, ResourceQuotas behave differently, and a misconfigured cluster lets a tenant escape its original limits. Production hardening guide.

LLM SRE and coding agents now ship with Kubernetes API tools equivalent to kubectl. A prompt injection payload embedded in a pod log, ConfigMap, or CRD field is indistinguishable from a legitimate instruction to the agent. When the agent has cluster-admin or namespace-admin RBAC, one injected instruction becomes a cluster-wide compromise.

MCP servers deployed as Kubernetes services give AI agents programmatic access to cluster resources, databases, and APIs. An MCP server with cluster-admin RBAC or unrestricted network access becomes a fully capable attack pivot when an agent is prompt-injected. Least-privilege service accounts, NetworkPolicy, and admission control gates reduce the blast radius to the minimum required for the tool's legitimate function.

Kubernetes operators ship to production clusters with elevated RBAC permissions and direct API server access — a vulnerability in an operator can compromise the entire cluster. This guide covers how to report operator vulnerabilities responsibly, how operator maintainers should handle disclosures, CVSS scoring for Kubernetes-specific issues, and what cluster operators should do when a vulnerability is published.

Kubernetes control plane PKI, service mesh CAs, SPIFFE SVIDs, and Ingress TLS certificates all rely on RSA or ECDSA — algorithms vulnerable to harvest-now-decrypt-later. This guide maps the Kubernetes certificate landscape, implements hybrid PQC certificates with cert-manager and step-ca, and provides a phased migration roadmap for production clusters.

CVE-2019-5736 allowed a malicious container to overwrite the host runc binary by exploiting /proc/self/exe during container exec. Any kubectl exec or docker exec into an attacker-controlled container gave root on the host. Every container runtime that used runc was affected.

CVE-2026-42880 (CVSS 9.6) lets any read-only Argo CD user extract plaintext Kubernetes Secrets via the Server-Side Diffs API when IncludeMutationWebhook=true is annotated. Patch to v3.3.9, audit annotations, and harden Argo CD RBAC.

The UK AI Security Institute found LLMs escape containers ~50% of the time, 100% with exposed Docker sockets or privileged pods. Eliminate the specific misconfigurations that make automated escape trivial and harden the remaining attack surface against systematic AI exploitation.

Running card-processing workloads in Kubernetes requires explicit PCI DSS scope reduction, strict NetworkPolicy isolation, pod-level security controls, and per-node audit logging that satisfies Requirements 1, 2, 7, and 10. This guide maps Kubernetes controls to PCI DSS v4.0 and provides assessor-ready evidence commands.

CVE-2026-33186 (CVSS 9.1) allows attackers to bypass path-based gRPC authorization by omitting the leading slash from the :path pseudo-header. Upgrade to gRPC-Go 1.79.3 and audit authorization interceptors for deny-list patterns.

CVE-2026-24512 and related April–May 2026 CVEs allow nginx config injection via Ingress annotations, leading to RCE with cluster-wide Secret access. Patch to v1.13.7+, disable configuration-snippet, and enforce annotation allowlisting.

If your K8s cluster built or ran containers during the Axios attack window, you need a playbook. Scope affected pods via image provenance, identify exposed credentials, rotate secrets cluster-wide, and use network logs to determine if the RAT reached C2.

Harden Contour against CVE-2026-41246 Lua code injection via HTTPProxy cookie-rewriting, xDS credential leakage, and tracking silent security fixes in Contour's rapid release cycle.

The Axios supply chain attack hit every CI pipeline running npm install during a 3-hour window. Enforce npm ci --ignore-scripts in Dockerfiles via Kyverno, block build-pod egress, and prevent runtime node_modules mutation in Kubernetes.

CISA's OT Zero Trust guidance places IT-side infrastructure in a DMZ zone. Learn how to use Kubernetes network policy as ISA/IEC 62443 conduit enforcement, isolate OT-adjacent workloads, and prevent K8s from bridging into OT networks.

CISA recommends Malcolm for OT network traffic analysis. Deploy it on Kubernetes for reproducible SOC infrastructure — DaemonSet packet capture, persistent storage for 90-day retention, and RBAC-controlled analyst access.

CVE-2026-35469 lets an attacker crash kubelet and kube-apiserver via malformed SPDY frames. Learn how the silent-branch pattern works and how to close the window with version pinning, RBAC restrictions, and streaming endpoint controls.

Secure Cluster API (CAPI) deployments by hardening controller RBAC, provider credentials, bootstrap token lifecycle, and Machine provisioning pipelines.

Harden Kubernetes CSI drivers for NFS and SMB against CVE-2026-3864/3865 subDir path traversal, malicious volume provisioning, and silent fixes in the fast-moving CSI driver ecosystem.

Harden gRPC-Go services against CVE-2026-33186-class authorization bypass via malformed :path pseudo-headers, and track silent fixes in fast-moving google.golang.org/grpc releases.

Harden ingress-nginx against annotation-based configuration injection attacks—CVE-2026-3288 class—with admission controls, annotation allowlisting, and upstream release monitoring.

Harden KubeVirt virtual machine workloads with virt-launcher pod security, VM isolation, live migration hardening, and tracking KubeVirt's open source CVE disclosure patterns.

Secure OCI image volumes (KEP-4639) in Kubernetes 1.31+ by hardening image pull credentials, mount path validation, and admission controls—and tracking silent fixes in evolving implementations.

CoreDNS is the authoritative DNS server for Kubernetes service discovery. Misconfigured plugins, missing rebinding protection, and unauthenticated health endpoints expose the cluster to DNS-based attacks. Locking down CoreDNS limits lateral movement and prevents DNS-based data exfiltration.

Harden Karpenter-managed node provisioning by securing NodePools, EC2NodeClass IAM roles, node registration, and instance metadata access.

The CIS Kubernetes Benchmark defines 200+ controls across the API server, etcd, kubelet, and scheduler. kube-bench automates this check and integrates into CI/CD so benchmark regressions are caught before they reach production.

CronJobs run privileged operations on a schedule — database backups, report generation, secret rotation. A CronJob that accumulates permissions over time, leaves credentials in completed pods, or runs with unbounded concurrency creates persistent attack surface. Hardening CronJobs applies the same least-privilege principles as long-running workloads.

Operators run with elevated Kubernetes permissions to manage custom resources. Overpermissive ClusterRoles, insecure admission webhooks, and unvalidated CRD inputs are common attack vectors. Scoping operator permissions to the minimum required limits blast radius from operator compromise.

Without resource quotas, a single namespace can consume all cluster CPU, memory, and storage — starving other tenants or crashing the control plane. ResourceQuota and LimitRange enforce per-namespace and per-pod resource bounds, making resource exhaustion attacks and accidental runaway workloads containable.

Cilium's CiliumNetworkPolicy extends standard Kubernetes NetworkPolicy with DNS-based egress control, HTTP/gRPC L7 rules, and cryptographic identity. Hubble provides flow-level visibility without packet capture.

Static kubeconfigs with long-lived certificates are the norm but not the standard. OIDC authentication gives kubectl short-lived tokens, group-based RBAC, and a full audit trail tied to real identities.

Kyverno enforces Kubernetes security policy as YAML. Writing effective validate, mutate, and generate policies — and testing them with Chainsaw — turns admission control from a checkpoint into a continuous guardrail.

Velero backups contain every Kubernetes secret, PersistentVolume, and workload configuration. Without encryption and immutable storage, they are a single-shot path to full cluster compromise or ransomware.

cert-manager manages certificate lifecycle at scale, but its default configuration creates long-lived certs and flat trust hierarchies. Harden the PKI layer your services depend on.

CSI drivers run with broad privileges by design. Their security posture often goes unaudited — until one is the exfil path or the privilege-escalation step.

Native Kubernetes Secrets are visible to anyone with namespace get. External Secrets Operator pulls from your real secret store on schedule, with rotation and audit.

restartPolicy: Always init containers GA'd in 1.29 fix the long-standing init/main race. Bigger security wins for service-mesh and log-shipper deployments.

RuntimeClass lets you select a sandboxed container runtime per workload. gVisor intercepts syscalls in userspace; Kata Containers run workloads in lightweight VMs. Each changes the threat model.

Confidential Containers move workload isolation from the kernel to the silicon. Encrypted memory, hardware-attested boot, and a different threat model than user namespaces.

userns: true remaps Pod UIDs into a per-Pod range. A container running as root sees uid 0 inside; the host sees an unprivileged user. Big hardening win, easy to enable.

VAP replaces webhook admission for the policies you write most often. No Kyverno, no OPA, no network round-trip, no webhook availability risk.

Gateway API replaces Ingress with a multi-role model that separates infrastructure, cluster operator, and application developer concerns. New surface, new threat model.

Kubernetes orchestrates LLM workloads but has no awareness of what those workloads do. An Ollama pod with healthy readiness probes and stable resource usage can still leak secrets, execute prompt injection, and grant models excessive agency over internal services. This article covers the LLM-specific threat model for Kubernetes and implements an LLM gateway as the policy enforcement layer.

A Kubernetes node is a Linux machine running kubelet, a container runtime, and your workloads.

Multi-tenant GPU sharing without isolation risks data leakage between workloads through shared GPU memory.

GPU compute costs between $2 and $30 per hour per device. A single unauthorised cryptocurrency mining pod running on an A100 for a weekend generates..

Request-count rate limiting fails for LLM workloads because a single request can consume 100K tokens. Token-based rate limiting with per-user quotas and abuse detection prevents runaway costs and catches prompt injection probing before it escalates.

Prevention-only security has a binary failure mode: either the control holds and the attacker is stopped, or the control fails and the attacker...

By default, every pod in a Kubernetes cluster can communicate with every other pod across all namespaces. There are no network boundaries.

Without enforced budgets, a single team can exhaust an organization's entire AI spend in days. Token metering with per-team budgets, automatic request rejection at limits, model routing by cost, and chargeback dashboards turn LLM spending from a surprise into a managed line item.

The kubelet runs on every node in the cluster with root-level access to the container runtime, all pod specifications, mounted secrets, and the host..

RBAC sprawl in multi-team Kubernetes clusters grows past 100 role bindings within months.

Kubernetes Secrets are base64-encoded, not encrypted. Anyone with RBAC read access to secrets in a namespace can decode every credential stored there.

When a traditional application causes an incident, you examine logs, traces, and database queries to reconstruct what happened.

Model inference endpoints are GPU-backed and expensive, $2-30 per hour per GPU. A single unprotected endpoint exposed to the internet can accumulate..

Without admission control, any user with deployment permissions can run privileged containers, mount the host filesystem, use the host network, run...

AI systems leak data in ways traditional applications do not. A language model trained on customer data can reproduce verbatim customer records in...

JupyterHub is a code execution platform. Every notebook cell is arbitrary code running with whatever permissions the notebook server process has.

Kubernetes namespaces provide logical separation, not security isolation. By default, pods in namespace A can send network traffic to pods in...

A single content filter is not a pipeline. Most LLM deployments add one filter (usually on output) and call it done.

Traditional security testing (penetration testing, vulnerability scanning) does not cover AI-specific attack surfaces.

Without image policy enforcement, any container image from any registry can run in a Kubernetes cluster.

Retrieval-Augmented Generation (RAG) adds a knowledge base to LLM applications, the model retrieves relevant documents before generating a response.

Kubernetes SecurityContext has over 15 configurable fields, but most teams only set runAsNonRoot: true and consider the job done.

Vector databases are the backbone of RAG (Retrieval-Augmented Generation) systems.

Deploying a new ML model version is not the same as deploying a new application version.

The API server is the front door to the Kubernetes cluster. Every kubectl command, every controller reconciliation, every pod scheduling decision,...

The default container runtime allows approximately 300 syscalls. A compromised container can use unshare to create new namespaces, clone to spawn...

Kubernetes Secrets are stored in etcd as base64-encoded plaintext. Base64 is an encoding, not encryption.

Deploying an LLM without guardrails is deploying an application where any user can make it say or do anything.

The ingress controller is the internet-facing entry point to a Kubernetes cluster.

Traditional application monitoring (CPU, memory, HTTP status codes, latency) tells you nothing about what an LLM is doing.

Model serving frameworks ship with defaults optimised for development: management APIs exposed on all interfaces without authentication, model files..

Fine-tuning pipelines are high-value targets. They consume expensive GPU hours, process proprietary training data, and produce model checkpoints that...

The Kubernetes scheduler places pods on nodes based on resource availability and basic constraints.

Kubernetes audit logs record every request to the API server: who made the request, what they asked for, and whether it succeeded.

Model files are opaque binaries ranging from 1GB to over 1TB. You cannot code-review a set of weights.

Reinforcement Learning from Human Feedback (RLHF) pipelines introduce unique security surfaces that standard ML training workflows do not have.

AI services have turned API keys into direct spending controls. A leaked OpenAI or Anthropic key can generate thousands of dollars in charges within...

Prompt injection is the SQL injection of AI systems, the most common and most damaging attack class against LLM-powered applications.

AI training clusters frequently share networks with production services. A training job that can reach the production database is one compromised...

LLM-powered applications have unique observability requirements that standard APM tools do not address: token-based cost tracking (not just request...

Model registries are the bridge between training and production. A model pushed to the production registry gets served to users.

Every pod in Kubernetes receives a service account token by default. In clusters running older configurations or without explicit hardening, these...

CVE-2024-48990 through CVE-2024-48992 allow local privilege escalation via needrestart: the tool runs as root, reads /proc/PID/environ to detect interpreter restarts, and can be tricked into executing attacker-controlled interpreter paths — disable scanning or pin to a fixed interpreter map.

The Linux kernel receives 5,000+ CVEs per year; most are irrelevant to any given deployment because they affect drivers, subsystems, or syscalls not present or enabled on that host; auditing kernel config, disabling unused modules, and restricting syscalls directly reduces the number of CVEs you must patch.

NGINX worker processes run as an unprivileged user after the master binds ports, but a CVE that achieves worker RCE inherits the worker's OS context; Seccomp, namespace isolation, and capability dropping contain the damage when a vulnerability is exploited before a patch is available.

AF_VSOCK provides a fast VM-to-hypervisor communication channel that has produced multiple guest-to-host escape CVEs; restrict the socket family via Seccomp, limit hypervisor-side listeners, and audit which services bind VSOCK ports.

LLMs can reason about interactions between kernel configuration options that manual audit misses — integrate AI-assisted kernel config review into your hardening baseline workflow to catch contradictory settings, missing defences, and architecture-specific gaps.

Netlink sockets expose a large kernel attack surface across rtnetlink, NETLINK_AUDIT, NETLINK_XFRM, and Generic Netlink families; multiple CVEs exploit this path from unprivileged processes and containers — restrict access with Seccomp, network namespaces, and capability dropping.

Abstract namespace Unix sockets bypass filesystem permissions and allow container processes to reach host daemons; restrict access via network namespaces, AppArmor socket rules, and explicit socket path auditing.

AI tools compress the time from CVE disclosure to working kernel exploit from weeks to hours; update your kernel hardening priorities, patch-velocity targets, and compensating control playbook for the faster weaponization timeline.

The n_gsm line discipline enables LPE from unprivileged TTY access; disable the module or restrict line discipline attachment to close this recurring kernel attack path.

Dirty Frag is a deterministic Linux kernel local privilege escalation affecting the xfrm IPsec subsystem. Unlike race-condition exploits, it requires no timing: unprivileged processes use splice(2) or sendfile(2) to retain references to page-cache pages that esp4/esp6 decryption then writes plaintext into, yielding a reliable write primitive to root in a single command. This article covers the vulnerability mechanics, affected distributions, module blacklisting mitigation, and detection.

Application-layer rate limiting breaks when the attack volume saturates the API gateway process before a single request is evaluated. nftables meters and eBPF XDP programs enforce per-IP, per-endpoint, and per-token rate limits in the Linux kernel — before traffic reaches the application. This article implements kernel-level API gateway protection that holds up under volumetric attack.

Traditional bastion hosts accumulate persistent user accounts, shared credentials, and lateral movement risk over time. ContainerSSH replaces this model by launching a fresh isolated container for every SSH connection — no persistent system users, no shared state between sessions, automatic cleanup on disconnect. This article covers the architecture comparison, ContainerSSH deployment, and the defence-in-depth properties of ephemeral-container-per-session access.

Distroless and scratch-based container images have no shell, no package manager, and often no OS metadata — making traditional vulnerability patching impossible. Copa (Copacetic) solves this by parsing a Trivy vulnerability report and applying package-level fix layers directly via BuildKit, without access to the original Dockerfile or source. This article covers Copa's layer-patching mechanics, patching Alpine, Debian, and distroless images, and verifying patch success.

When copy_from_user faults midway through a kernel operation, partially initialised kernel objects can be left in inconsistent state — a primitive that privilege escalation exploits use to corrupt allocator metadata or forge pointers. This article covers the vulnerability class, SMAP as a mitigation, fault-injection hardening, and slab object lifecycle protections that close the window.

The Linux kernel crypto API exposes symmetric ciphers, hash functions, and AEAD constructions to userspace via AF_ALG sockets. CVE-2021-3543 (algif_aead null pointer dereference) and CVE-2019-8912 (AF_ALG use-after-free) both escalated from unprivileged userspace to kernel code execution via the crypto socket interface. This article maps the attack surface, safe usage patterns, and how to restrict AF_ALG access in container environments.

Static SBOM scanning and registry controls stop known malicious packages, but a zero-day supply chain compromise (an attacker-modified npm/pip package that passes scanning) requires runtime behavioural detection. This article covers using eBPF (Falco, Tetragon) to detect anomalous behaviour from compromised dependencies: unexpected network calls from npm postinstall, file writes outside expected paths, privilege escalation from a library's execution context.

Once a container escapes to the Kubernetes node, the attacker finds kubelet TLS client certificates at /var/lib/kubelet/pki/, calls the Kubernetes API server as the node identity, lists every pod on the node, reads their secrets from /proc/<pid>/environ, and accesses cloud IMDS for IAM credentials. This article maps every step of the post-escape attack chain and the detection signals that identify each phase.

A reproducible build produces bit-for-bit identical output from identical source — meaning any independent rebuilder can verify no malicious modification occurred between source and artifact. This article covers the techniques that break reproducibility (timestamps, nondeterministic linking, build paths), Debian and Nix reproducible build infrastructure, SOURCE_DATE_EPOCH, and using diffoscope to diagnose unreproducible outputs.

An unprotected Vault instance — running with a manually managed unseal key, no audit log, and a persistent root token — is a single point of total secret compromise. Vault's auto-unseal with cloud KMS eliminates the manual unseal process and the humans who knew the keys. Audit log shipping to an immutable store creates a forensic trail. Root token revocation after bootstrap removes the master credential from existence.

An LLM can generate a kernel module, device driver, or eBPF program in seconds. The Linux kernel's security model — CVE disclosure process, stable API guarantees, security response team, and decades of adversarial testing — cannot be replicated by a prompt. This article maps the specific failure modes of AI-generated system code against what upstream open source provides.

CVE-2022-0847 let any unprivileged process splice data into read-only file-backed pages via the pipe buffer's PIPE_BUF_FLAG_CAN_MERGE flag. Inside a container, this means overwriting the host's read-only binaries and /etc/passwd without any special capabilities.

Google's Big Sleep (Project Naptime), Atlas, and Microsoft Security Copilot fuzzers discovered multiple Linux local privilege escalation chains in 2025-2026 that human researchers missed for years. The attack class is real, the CVE velocity is increasing, and defenders need a systematic response beyond reactive patching.

Linux 6.10+ ships BPF token, a delegation mechanism that lets unprivileged user namespaces load and attach a curated subset of eBPF programs without CAP_BPF on the host. Production hardening guide for runtimes, observability agents, and developer workstations.

Restrict and authenticate kexec on production Linux: signed kexec_file_load, lockdown mode interactions, kdump isolation, and detection of kexec abuse.

Residential proxy networks (BrightData, Oxylabs-style) and IoT-compromised botnets route attack traffic through millions of real consumer IP addresses, defeating IP reputation systems. Linux kernel nftables, tc/eBPF, and XDP provide per-connection rate-limiting, connection-table fingerprinting, and flow-state analysis that work even when every request comes from a unique legitimate-looking IP.

MCP (Model Context Protocol) servers run as local processes that give AI agents access to filesystems, shells, databases, and APIs. A compromised or prompt-injected MCP server can read arbitrary files, execute commands, and exfiltrate data with the permissions of the process that hosts it. Linux namespaces, seccomp, and capability dropping contain the blast radius before it reaches the host.

Maintaining an open source Linux tool means handling security vulnerabilities responsibly — assigning CVEs, coordinating disclosure with downstream distributions, building patched releases, and communicating clearly to users. Poorly handled security disclosures damage trust and leave users exposed. This guide covers the end-to-end security release process for Linux daemon and tool maintainers.

OpenSSH 9.0 shipped sntrup761x25519 hybrid key exchange, and OpenSSH 9.9 adds ML-KEM-768 support. Harvest-now-decrypt-later attacks make upgrading SSH key exchange urgent for long-lived sensitive sessions. This guide migrates SSH infrastructure to hybrid PQC key exchange, updates host key algorithms, and deploys client configuration for organisations managing hundreds of servers.

SAST and SCA tools are only as trustworthy as the environment that runs them. A developer who can modify the scan configuration, suppress findings before they're recorded, or tamper with result files defeats the security gate entirely. This guide hardens the Linux environments where code scanning runs — covering file integrity for scanner binaries, result chain-of-custody, isolated scan execution, and detecting bypass attempts.

CVE-2023-32233 (use-after-free in nf_tables set handling) was exploited without root on unpatched Ubuntu 22.04 in under five minutes using only unprivileged user namespaces — enabled by default on most desktop Linux distributions. The kernel.unprivileged_userns_clone sysctl closes it; the reason distros resist enabling it reveals a deeper design tension.

Distro defaults leave significant exploit mitigation headroom on the table. This guide covers ASLR levels, PIE binaries, RELRO, stack canaries, SMEP/SMAP, CET shadow stacks, heap hardening, and how to verify every layer is actually active.

runc's seccomp filters help, but a single unfiltered syscall can still hand an attacker the host kernel. This article explains when and how to deploy gVisor, Kata Containers, and crun to enforce stronger isolation boundaries for high-risk workloads.

Core dumps write a full copy of process memory to disk — including TLS private keys, passwords, session tokens, and cryptographic material. This guide covers disabling core dumps globally and per-service, locking down systemd-coredump, hardening kernel core_pattern, using PR_SET_DUMPABLE, controlling fs.suid_dumpable, and auditing core dump creation with auditd.

Cron and at are persistent attack surfaces on every Linux system. Writable crontab files, PATH hijacking in root jobs, and world-writable scripts executed on a schedule are among the most reliable privilege escalation and persistence techniques in an attacker's playbook. This guide covers file permission hardening, access control, root job hygiene, auditd monitoring, and when to replace cron entirely with systemd timers.

D-Bus as a privilege escalation surface: auditing exposed services with busctl and gdbus, hardening policy files, writing restrictive polkit rules, confining services with AppArmor/SELinux, and monitoring for suspicious IPC activity.

A full /var/log stops syslog cold, a full /tmp crashes services that assume writes succeed, and a full /home triggers cascading auth failures. Disk quotas are the enforcement layer that prevents these outcomes.

Weak entropy means predictable secrets. This guide covers Linux RNG architecture, boot-time starvation in VMs, RDRAND/TPM seeding, LRNG, and auditing entropy health for production systems.

fanotify gives your security daemon filesystem-wide visibility and the ability to block file operations before they complete. This article covers permission events, FAN_MARK_FILESYSTEM, path resolution with FAN_REPORT_DFID_NAME, and how fanotify fits alongside auditd and eBPF.

chattr +i sets a filesystem-level immutable flag that blocks writes, deletes, renames, and hard links — even for root. Learn how to protect /etc/passwd, SSH config, and log files, automate attribute enforcement at boot, and integrate with auditd and IMA/EVM.

Hardened GnuPG setup for production: offline primary keys, subkey architecture, APT/DNF package verification, Git commit signing, YubiKey offload, key rotation, and WKD autodiscovery.

HSMs and PKCS#11 tokens move private keys off disk and out of memory. This guide covers network HSMs, YubiHSM 2, TPM 2.0, OpenSSL engine and provider configuration, OpenSSH, TLS daemons, and the performance trade-offs engineers actually hit.

Unsigned kernel modules are a primary rootkit vector. This guide covers the full module signing infrastructure: CONFIG_MODULE_SIG_FORCE, sign-file, DKMS auto-signing, MOK enrollment, and detecting unsigned modules at runtime.

Network namespaces give each service its own TCP/IP stack, routing table, and firewall rules. Lateral movement between services requires an explicit veth bridge — it cannot happen by accident.

NFSv3 has no authentication model — any host that can reach port 2049 can mount your exports and spoof UIDs. This guide covers NFSv4 with Kerberos, export hardening, ID mapping, firewall rules, kernel TLS, and NFS in Kubernetes.

Password-only PAM is not enough. Add TOTP via libpam-google-authenticator and hardware-bound OTP or U2F via pam_yubico / pam_u2f to SSH and sudo. Stack ordering, break-glass access, and how to test without locking yourself out.

Cardholder data environments require Linux hardening that maps directly to PCI DSS Requirements 2, 6, 8, and 10. Generic OS hardening isn't enough — this guide maps specific sysctl settings, filesystem controls, service minimisation, and audit configuration to the PCI DSS v4.0 requirements that assessors actually check.

POSIX Access Control Lists extend Unix permissions with named user and group ACEs, ACL masks, and inheritable default ACLs. Essential for shared directories, service isolation, and least-privilege access without group sprawl.

ptrace is a privilege-escalation primitive hiding in plain sight. YAMA LSM, PR_SET_DUMPABLE, seccomp, and eBPF auditing close the attack surface in production and container environments.

LD_PRELOAD lets any unprivileged user inject arbitrary code into every dynamically linked process they spawn. This article covers the full attack surface — PRELOAD hooks, library path hijacking, /etc/ld.so.preload persistence — and the structural defenses: AT_SECURE clearing, IMA/EVM measurement, dm-verity on /usr, and auditd detection rules.

Restrict which processes can bind to ports, secure socket reuse, lock down Unix domain sockets, and detect unexpected listeners — a practical hardening guide for production Linux hosts.

Unencrypted swap exposes cryptographic keys, session tokens, and database results to cold-boot attacks and forensic analysis. This guide covers volatile random-key swap, persistent LUKS swap for hibernation, zram as a swap alternative, and verification tooling for production systems.

Linux virtual filesystems expose kernel memory addresses, hardware state, and process details by default. Harden /proc, /sys, and debugfs to eliminate information leakage that attackers exploit for KASLR bypass, process enumeration, and side-channel attacks.

A defence-in-depth guide to hardening the Linux network stack with sysctl: SYN flood protection, ICMP filtering, reverse path filtering, TCP timestamps, IPv6 RA hardening, and full verified drop-in configuration for production systems.

tmpfs filesystems — /tmp, /dev/shm, /run — are writable in-memory surfaces used daily for payload staging and IPC abuse. This article covers mount hardening, systemd PrivateTmp isolation, size limits, abstract UNIX sockets, and managing application exceptions.

Master the UEFI Secure Boot trust chain from firmware key databases through shim and MOK to the kernel. Learn to inspect DB/DBX, enrol custom keys, remove Microsoft CA, detect bypasses, and understand BootGuard and firmware update signing.

Edera's research shows unprivileged user namespace creation expands reachable kernel attack surface by 3.4x and enabled 40+ CVEs in 2020–2025. Disable unprivileged namespace creation on servers, understand the trade-offs, and apply per-service exceptions where rootless containers are required.

CVE-2026-3888 exploits a race between snap-confine and systemd-tmpfiles to escalate privileges to root on Ubuntu LTS. Understand the timing window, patch snapd, and harden /tmp handling to close this class of tmpfiles race vulnerabilities.

The Axios attacker compromised a maintainer's PC to steal an npm token. Harden Linux developer workstations with credential isolation, application allowlisting, and malware detection so a compromised machine cannot pivot to npm publish.

2026's wave of kernel LPEs shows patches alone aren't enough. Build layered mitigations — seccomp-BPF blocking dangerous socket families, user namespace restrictions, kernel pointer hardening, and Landlock — that raise the exploitation bar regardless of which bug comes next.

CVE-2026-34073 allows X.509 certificates violating excluded-subtree DNS name constraints to pass validation in Python's cryptography library. Audit Python services doing TLS on Linux — SSSD, httpx, requests, custom PKI validators — and upgrade to 46.0.6.

CVE-2026-31431 Copy Fail lets an unprivileged user gain root via AEAD page-cache corruption. Understand the silent-patch pattern and how to close the gap with kernel settings, LSM policy, and live patching.

Harden Linux Bluetooth against CVE-2026-31512 L2CAP kernel memory disclosure, OOB read vulnerabilities, and the recurring pattern of Bluetooth subsystem fixes landing before distro advisories.

CISA's OT Zero Trust guidance targets Living Off The Land attacks on HMI workstations. Harden Linux SCADA displays with kiosk lockdown, application allowlisting around vendor software, and EDR without disrupting control system I/O.

CISA's OT Zero Trust guidance places Linux jump hosts as the primary enforcement point between IT and OT networks. Learn how to harden them with MFA, application allowlisting, LOTL defences, and session recording.

Harden Linux systems against CVE-2026-23208 USB audio URB buffer overflow from malicious USB devices, and the recurring pattern of ALSA/USB driver fixes landing without CVE assignment.

The Axios supply chain compromise delivered a cross-platform RAT via a postinstall hook. Learn how auditd rules and eBPF-based runtime monitoring catch the process spawning and C2 connections that betray malicious npm install scripts on Linux.

Harden Linux systems against eBPF verifier bypass vulnerabilities—like GHSA-hfqc-63c7-rj9f's register tracking bug—by restricting BPF access, monitoring silent kernel fixes, and validating verifier behaviour.

Harden the Linux kernel keyring subsystem with TPM2-backed key storage, IMA appraisal keyrings, keyctl ACL hardening, and monitoring for open source keyring CVE patch gaps.

Harden Linux netfilter and nf_tables against CVE-2026-31414-class connection tracking bugs, privilege escalation via nf_tables, and the recurring pattern of silent kernel netfilter fixes.

Harden Linux systems against page-cache write primitives exploited by CVE-2026-31431 (Copy Fail) and related AF_ALG/splice attack chains, with kernel config controls and patch-gap monitoring.

Harden runc-based container runtimes against escape CVEs, mount namespace attacks, and process injection—with guidance on tracking silent security fixes in runc's public git history.

Replace cleartext environment variable secrets with systemd-credentials: TPM2-sealed or password-encrypted service credentials for systemd units on Linux.

Modern Linux exploit mitigations — ASLR, PIE, stack canaries, RELRO, and FORTIFY_SOURCE — significantly raise the cost of memory corruption exploits. Understanding which mitigations are active on a system, how to verify them, and how to build software with all of them enabled is essential for hardening.

Package managers are the primary software supply chain for Linux systems. Weak GPG key configuration, unauthenticated mirrors, and unpinned package versions allow an attacker who controls a mirror or the network path to install arbitrary packages as root.

Rootkits hide attacker presence by modifying kernel structures, replacing system binaries, and intercepting syscalls. Detecting them requires integrity baselines taken before compromise, kernel module auditing, and tools that operate below the rootkit's hook level.

SSH key sprawl — hundreds of authorized_keys entries, no revocation — is eliminated by an SSH CA. The CA signs short-lived user certificates and host certificates, centralising trust and enabling instant revocation without touching individual servers.

Misconfigured sudo is one of the most common local privilege escalation paths on Linux. Locking down sudoers to command-specific grants, auditing NOPASSWD rules, restricting environment inheritance, and monitoring sudo usage closes a persistent attack surface.

Harden Linux boot integrity with Unified Kernel Images, systemd-boot, and TPM2 PCR policy binding to replace legacy GRUB+LUKS measured-boot flows.

Kernel live patching applies security fixes to a running kernel without a reboot. kpatch on RHEL and livepatch on Ubuntu eliminate the window between CVE disclosure and the next maintenance window.

Unprivileged user namespaces underpin rootless containers but have enabled dozens of kernel privilege escalation CVEs. Knowing when to restrict them, how to delegate safely, and how to monitor their use is essential.

Sealing LUKS keys to TPM2 PCRs means the disk only unlocks on hardware in the expected boot state. Clevis and tang add network-bound decryption for server fleets without manual passphrase entry.

Seccomp-BPF restricts which syscalls a process can make. Applied to system daemons and services outside containers, it reduces the kernel attack surface exploitable from a compromised service.

dm-verity gives you a read-only root that fails to mount if a single block is tampered with. dm-integrity adds runtime checksumming. Together: immutable, evidence-bearing systems.

lsm_bpf attaches eBPF programs to LSM hooks. Define security policy in code, push without reboot, audit at the syscall boundary. AppArmor for cloud-native systems.

Ambient capabilities, CapDrop in systemd units, auditing capability use with auditd and bpftrace. Least-privilege for services that run as root by legacy necessity.

IMA measures every executed file and mmap'd library at the kernel level. EVM protects extended attributes from tampering. Together they detect supply chain compromise before code runs.

USB devices are a peripheral attack surface most servers ignore. USBGuard provides allowlist-based authorization, blocking BadUSB and malicious-cable threats.

ed25519-sk and ecdsa-sk bind SSH keys to a hardware token. Phishing-resistant, exfiltration-proof, increasingly the default. Two short commands to switch.

Lockdown mode separates root from kernel. integrity blocks code modification; confidentiality also blocks reads. Cheap, broad, underused.

Landlock lets an unprivileged process restrict its own filesystem and network access at the kernel level. AppArmor without root, seccomp with semantics.

io_uring gives userspace a submission queue that sidesteps the normal syscall path. It has produced a steady stream of kernel CVEs and routinely bypasses seccomp.

Cloud VMs exposed to the internet with password-only SSH are compromised within hours. This article covers the complete secure access stack: SSH key authentication, TOTP two-factor login, WireGuard VPN as a network-layer gate, and audit logging to track who did what and when.

Every SSH hardening guide starts and ends with the same three changes: disable root login, require key-based authentication, change the default port.

Most Linux hosts resolve DNS in plaintext over UDP port 53. On a stock Ubuntu 24.04 or RHEL 9 system:

Linux kernels ship with defaults optimised for compatibility, not security. On a stock Ubuntu 24.04 or RHEL 9 installation.

Without boot security, an attacker with physical access or console access (BMC, IPMI, cloud serial console) to a Linux system can.

/proc and /sys are virtual filesystems that expose kernel internals, hardware details, and process information to userspace.

auditd is the kernel-level audit system on Linux, it captures syscalls, file access, user commands, and privilege changes that no userspace tool can...

iptables is deprecated. nftables is the replacement in every modern Linux kernel (5.0+).

Without resource limits, a single service, container, or compromised process can consume all available CPU, memory, I/O bandwidth, or PIDs on a host.

SELinux is the most powerful mandatory access control system on Linux, and the most disabled. The result: services have no MAC confinement.

Accurate time is a silent dependency of almost every security control on a Linux system.

Manual OS hardening does not scale. The sysctl settings from Hardening the Linux Kernel Attack Surface with sysctl and Boot...

PAM (Pluggable Authentication Modules) is the authentication foundation on Linux.

The Linux kernel loads modules on demand. When a process requests a capability that is not built into the running kernel (a filesystem type, a...

ubuntu:latest ships with over 200 packages. At any given point, a vulnerability scan with Trivy will report 50 or more CVEs, most of which are in...

AppArmor is the default mandatory access control system on Ubuntu and Debian. It restricts applications to specific file paths, capabilities, and...

systemd provides over 30 security-relevant directives for sandboxing services, yet the vast majority of unit files (including those shipped by...

Default Linux installations mount most filesystems with permissive options. On a stock Ubuntu 24.04 or RHEL 9 system:

Ivanti Connect Secure, Palo Alto GlobalProtect, and FortiGate SSL VPN have each had critical CVEs actively exploited by nation-state actors in 2024-2025; these devices cannot always be patched immediately — detection signatures, compensating controls, and post-exploitation indicators reduce dwell time.

NIST's National Vulnerability Database has accumulated a significant enrichment backlog since 2024, leaving months-old CVEs without CVSS scores or CPE mappings; vulnerability scanners that depend solely on NVD data will miss or misclassify these findings — supplement with OSV, GitHub Advisory Database, and vendor feeds.

CVE-2025-23419 allows TLS session resumption to skip mutual TLS client certificate verification when virtual hosts share a TLS session ticket key; understand which NGINX configurations are affected and how to enforce per-connection certificate validation.

CVE-2024-3596 demonstrated that RADIUS/MD5 authentication is cryptographically broken and allows on-path attackers to forge Access-Accept responses; migrate to RADIUS over TLS (RadSec), enable Message-Authenticator enforcement, and audit all RADIUS-dependent infrastructure.

AI-driven DDoS campaigns observe mitigation responses and adapt attack vectors in real time; combine ML-based traffic classification with rule-based scrubbing, dynamic threshold tuning, and multi-layer defence to handle attacks that learn from your defences.

Passive OS fingerprinting tools (p0f, nmap, Zeek) identify OS version from TCP SYN flags, IP TTL, window size, and timestamp behaviour without sending a single probe; randomise and normalise these signals to frustrate pre-exploitation reconnaissance.

AI generates hyper-personalised spear-phishing at near-zero marginal cost; deploy DNS sinkholing, email gateway behavioural analysis, network egress controls, and browser isolation to contain AI-generated social engineering campaigns.

Terrapin allows a network MITM to silently strip SSH extension negotiation messages, downgrading security extensions including keystroke timing obfuscation and strict key exchange; deploy strict-kex mode across all OpenSSH clients and servers.

On May 5, 2026, a faulty key-rollover script at DENIC caused the .de TLD to serve non-validatable DNSSEC signatures for three hours. Every validating resolver — Cloudflare 1.1.1.1, Google Public DNS, ISP resolvers — returned SERVFAIL for all .de domains. This article analyses what went wrong, the operational safeguards that would have prevented it, and how to design DNSSEC rollover procedures for your own zones that fail safely.

SMTP request smuggling exploits line-ending interpretation differences between SMTP servers to inject forged emails that pass SPF and DKIM checks; harden MTAs with strict EOL validation and consistent DATA termination handling.

Each ContainerSSH session Pod runs in its own network context, but without explicit NetworkPolicy every session can reach every other service in the cluster. This article covers designing per-session NetworkPolicy for ContainerSSH on Kubernetes — restricting egress to only the target service each user needs, blocking inter-session traffic, and using Cilium L7 policy to enforce which commands session containers can run against internal APIs.

Air-gapped and network-isolated environments cannot reach upstream package repositories or public vulnerability databases during a Copa patch run. This article covers the architecture for offline Copa patching: mirroring OS package repositories, running a local Trivy vulnerability database, using a private BuildKit instance, and establishing a one-way data transfer pipeline for importing new patches into the isolated zone.

Encrypted Client Hello (ECH, RFC 9258) hides the SNI from network observers — the hostname the client is connecting to is no longer visible in the TLS handshake. This breaks DLP, enterprise TLS inspection, and security monitoring tools that rely on SNI for traffic classification. This article explains how ECH works, what it hides vs. what's still visible, and what security teams need to change in their monitoring architecture.

GraphQL's introspection system reveals the complete API schema to any client. Batch queries bundle thousands of operations in one HTTP request, bypassing per-request rate limiters. Deeply nested queries can trigger O(n^k) resolver chains. Aliased queries mask attack patterns from WAFs. Disabling introspection, enforcing query complexity limits, and persisted queries at the gateway layer close these attack surfaces.

An Identity-Aware Proxy (IAP) enforces application-layer authentication and authorization on every request, making network location irrelevant to access decisions. This article covers the IAP architecture pattern, implementing a self-hosted IAP with Envoy + ext_authz + OAuth2 Proxy, GCP IAP for GKE workloads, and integrating device posture signals into IAP policy.

Default Kubernetes clusters have no network policy — every pod can reach every other pod and service. From a compromised ingress pod, an attacker can reach internal databases, the Kubernetes API server, etcd, the kubelet API on every node, and cloud instance metadata. This article maps the specific network paths, tools for discovery, and the NetworkPolicy and network segmentation controls that block each pivot.

Traditional Kubernetes NetworkPolicy operates at L3/L4, blocking by IP and port. Cilium's eBPF-based CNI extends this to L7: enforce that pod A can only call /api/v1/users GET on pod B, not arbitrary HTTP methods or paths. This article covers Cilium CiliumNetworkPolicy L7 rules, DNS-based egress policy, Hubble observability, FQDN policies, and migrating from calico to Cilium without downtime.

Double-fetch vulnerabilities occur when the kernel reads a userspace or shared-memory value twice — first to validate it, then to use it — allowing a racing thread to change the value between reads. In the network stack, this pattern appears in socket option handling, netlink message parsing, and skb clone operations. This article covers the double-fetch class in net subsystem code, historical CVEs, and kernel hardening to eliminate the race window.

The network path between your application and Vault, AWS Secrets Manager, or Azure Key Vault is an attack surface that most secrets management guides ignore. A MITM on that path intercepts decrypted secrets. Certificate pinning prevents MITM even with a compromised CA. Anomaly detection on secrets-API traffic reveals credential harvesting before secrets are used externally.

Service mesh mTLS provides workload-to-workload encryption and identity verification without application code changes. But the certificate issuance, rotation, and trust hierarchy that underpins mTLS are complex security controls that can be misconfigured. This article covers Istio's cert issuance architecture (istiod as CA), Linkerd's certificate hierarchy, external CA integration (Vault PKI, cert-manager), peer authentication policies, and detecting mTLS bypass attempts.

Traditional VPN grants broad network access once authenticated. ZTNA with WireGuard creates short-lived, per-resource encrypted tunnels provisioned only after identity and device posture verification. This article covers the ZTNA architecture pattern, Tailscale and Headscale for managed WireGuard mesh, per-node ACL policy, provisioning ephemeral WireGuard configs from an identity provider, and hardening WireGuard endpoints.

CAP_NET_RAW is included in Docker's default capability set — it's needed for ping and raw socket tools. CVE-2020-14386 (AF_PACKET memory corruption) and CVE-2021-22600 (double-free in packet_set_ring) both required only CAP_NET_RAW to escalate to kernel code execution. Dropping one capability from the default set closes both attack vectors.

An LLM can generate a TLS 1.3 handshake, an AES-GCM implementation, or a WireGuard-style key exchange in Python in minutes. Each of these will have subtle timing side-channels, nonce reuse vulnerabilities, or state machine bugs that 25 years of adversarial testing on OpenSSL, BoringSSL, and the Linux kernel crypto API have eliminated. The rule 'never roll your own crypto' now applies to AI-generated crypto.

LLM-powered attack tools generate SQL injection, XSS, and SSRF payloads with infinite semantic variation that bypass every signature a WAF has ever learned. Simultaneously, AI-driven bots mimic human timing patterns and browser fingerprints with statistical fidelity. Shape-based and behavioural defences replace signature matching.

OpenAPI and Protobuf definitions are the authoritative contract for an API's behaviour — and they encode security properties like authentication requirements, input validation constraints, and sensitive field exposure. Scanning schemas at commit time catches broken object-level auth, missing input constraints, and PII exposure before the API is deployed. This guide covers schema linting, custom security rules, and CI integration for REST and gRPC APIs.

curl-impersonate and uTLS allow any HTTP client to spoof the TLS ClientHello of Chrome, Firefox, or Safari — producing a JA4 fingerprint indistinguishable from a real browser. This breaks JA4-based bot detection. Detection countermeasures move to: TLS handshake timing, cipher negotiation behaviour, HTTP/2 SETTINGS frame fingerprinting (ALPN ordering, stream weights), and post-handshake protocol behaviour.

MASQUE (RFC 9298) lets HTTP/3 clients tunnel UDP through a proxy — Apple Private Relay, Cloudflare Zero Trust, and enterprise SASE gateways all run on it. The proxy itself sees plaintext QUIC connection IDs, can be abused as an open relay, and concentrates a lot of trust. Hardening guide for operators.

Production hardening for MASQUE / CONNECT-UDP (RFC 9298) proxies: authentication, egress policy, abuse detection, and operational pitfalls.

MCP's Server-Sent Events (SSE) transport exposes MCP servers as HTTP endpoints with no built-in authentication. An unauthenticated MCP endpoint on an internal network is reachable by any process on that network — turning lateral movement into agent tool access. mTLS for service-to-service authentication and OAuth 2.0 for user-delegated agent authorisation are the two patterns that close this gap.

CVE-2022-1015 (nftables out-of-bounds write) and CVE-2022-1016 (use-after-free in nf_tables) gave unprivileged users with CAP_NET_ADMIN — granted by default in many Kubernetes pods — the ability to achieve kernel code execution. The attack surface is the kernel's packet filtering subsystem, reachable from any network namespace.

Nginx, HAProxy, and Envoy underpin the internet's HTTP infrastructure — a critical vulnerability in any of them requires rapid coordinated response. This guide covers how to report vulnerabilities to each project's security team, what to expect during the disclosure process, how to track CVEs in networking software you depend on, and how to apply emergency patches when a critical disclosure drops.

OpenSSL 3.5 (April 2025) ships ML-KEM as a built-in provider — the first production-ready release for PQC TLS without patching. This guide deploys hybrid X25519+ML-KEM-768 key exchange on NGINX and HAProxy, validates PQC negotiation with clients, and provides a rollout strategy that maintains compatibility with non-PQC clients.

Deploy a multi-PoP anycast architecture that absorbs volumetric DDoS floods across geographically distributed scrubbing nodes, combining BGP anycast, ECMP, SYN cookies, and XDP-based SYN proxies to keep origin infrastructure reachable under multi-hundred-Gbps attacks.

Routing protocol attacks — BGP hijacking, OSPF LSA injection, route table flooding — can silently redirect or blackhole all traffic. Harden BGP and OSPF with MD5/TCP-AO authentication, GTSM, RPKI filtering, prefix-list hygiene, BFD, and passive interface isolation.

HTTP Public Key Pinning was deprecated in 2018 after bricking sites and creating unrecoverable outages. This article covers what replaces it: static pinning in mobile apps via Android NSC and iOS NSPinnedDomains, SPKI hash pinning in Go service clients, DANE/TLSA, CAA records, mTLS for service-to-service auth, and CT log monitoring — plus when pinning causes more harm than it prevents.

Cloud networks are not secure by default. Misconfigured security groups, open IMDS endpoints, and absent private service endpoints routinely lead to credential theft and data exfiltration. This guide covers the controls that matter: VPC design, IMDS v2 enforcement, private endpoints, flow log analysis, and cross-cloud parity across AWS, GCP, and Azure.

Harden your internal recursive resolver infrastructure against cache poisoning, DNS rebinding, and lateral movement. Covers BIND 9 and Unbound hardening, DNSSEC validation, DNS over TLS, split-horizon views, and Kubernetes CoreDNS security.

MAC-based access control is trivially bypassed. 802.1X with EAP-TLS enforces cryptographic device identity at the port level, dynamically assigns VLANs by identity, and eliminates rogue device connection on both wired and wireless networks.

FAPI 2.0 is the OpenID Foundation's security profile for high-value financial APIs — used by Open Banking UK, PSD2 in Europe, and CDR in Australia. It mandates mTLS sender-binding, DPoP proof-of-possession, PAR, and pushed authorization. This guide implements FAPI 2.0 requirements and shows how each control addresses specific financial API attack vectors.

HTTP/2 introduced multiplexing, header compression, and server push — each of which carries attack surface absent in HTTP/1.1. This guide covers protocol-level hardening across Nginx, HAProxy, and Envoy.

Blindly blocking all ICMP breaks Path MTU Discovery, disables availability monitoring, and violates RFC requirements for IPv6. This article covers a practical ICMP filtering policy for nftables, ICMPv6 neighbour discovery requirements, covert channel detection for ICMP tunnelling tools like ptunnel and hans, and Zeek/Suricata detection rules.

Kerberos is the default authentication protocol for Active Directory and Linux enterprise environments, but default configurations leave it vulnerable to kerberoasting, AS-REP roasting, golden ticket attacks, and delegation abuse. This guide covers pre-authentication enforcement, gMSA deployment, delegation hardening, encryption type restriction, krbtgt rotation, and detection of live attacks using Windows event IDs.

LDAP on port 389 transmits bind credentials in cleartext, permits anonymous enumeration, and is trivially injectable. This guide covers enforcing LDAPS, disabling anonymous bind, writing correct OpenLDAP ACLs, preventing LDAP injection in application code, and hardening Active Directory LDAP signing and channel binding.

Harden Linkerd's automatic mTLS, Server and HTTPRoute authorisation policies, MeshTLSAuthentication, egress control, and multi-cluster federation — the security-first alternative to Istio.

NAT hides internal hosts behind shared IP addresses, breaking IP-based threat attribution and complicating forensics. CGNAT at the carrier level extends this problem across thousands of subscribers. This article covers NAT logging, ALG vulnerabilities, port forwarding attack surface, CGNAT attribution challenges, and why IPv6 and Zero Trust are the right long-term answers.

Firewall rulesets accumulate over years into undocumented sprawl: permit-any rules no one understands, shadowed rules that never fire, and compliance audits that fail because no one can explain what a rule does or why it exists. Structured ACL design, zone-based models, and Infrastructure as Code bring firewall policy under engineering discipline.

Packet capture is too expensive to run continuously at scale. Network flow records — metadata about every connection without payload content — provide scalable, long-term visibility into who talked to whom, when, and how much data moved. NetFlow, sFlow, and IPFIX are the protocols that make this work.

Capturing packets is the most direct way to confirm lateral movement, reconstruct attack sequences, and preserve evidence of data exfiltration. Done wrong, it creates privacy and legal risk, exposes captured data, and runs as root indefinitely. This guide covers privilege-separated capture, PCAP storage security, forensic analysis workflows, and long-term network recording.

VLANs and coarse security zones leave east-west traffic within a segment unrestricted. Microsegmentation enforces per-workload firewall policy based on workload identity, not IP address — using eBPF with Cilium, systemd network namespaces, SPIFFE/SPIRE SVIDs, and service mesh mTLS.

nf_tables accounts for 43% of user-namespace-enabled kernel CVEs. When containers gain CAP_NET_ADMIN via user namespaces, they reach nf_tables kernel code — the source of dozens of container escapes. Block netfilter access from containers with seccomp, AppArmor, and namespace restrictions.

OpenVPN's flexibility is also its attack surface. This guide covers PKI hardening with EC keys and OCSP, the tls-auth/tls-crypt/tls-crypt-v2 ladder, data-channel cipher configuration for OpenVPN 2.6, privilege drop, management interface protection, and per-client access control.

X-Forwarded-For spoofing is one of the oldest tricks in the attacker playbook. Configure your proxy chain correctly — PROXY protocol v2, real_ip directives, and trusted hop counts — or every IP-based security control you have is fiction.

SOCKS proxies are a staple of red team toolkits: Cobalt Strike, chisel, and SSH dynamic forwarding all use SOCKS5 to tunnel C2 traffic and pivot through network segments. This article covers how attackers weaponise SOCKS, how to detect tunnelling in your environment, and how to harden both SSH and legitimate SOCKS deployments.

JA3 and JA4 fingerprint TLS ClientHello messages to identify malware C2 beacons, Cobalt Strike, scanning tools, and commodity RATs — without decrypting traffic. This article covers how both algorithms work, Zeek and Suricata integration, threat intelligence databases, and SIEM correlation pipelines.

A practical guide to eliminating weak TLS configurations across Nginx, HAProxy, Apache, and Envoy: dropping legacy cipher suites, enforcing TLS 1.3, managing dual-cert deployments, and automating cipher testing in CI.

CVE-2026-35051 allows authentication bypass in Traefik's ForwardAuth middleware when trustForwardHeader=false but Traefik sits behind a trusted upstream proxy. Patch to v2.11.43/v3.6.14 and audit header stripping in multi-proxy deployments.

VLAN boundaries are weaker than most engineers assume. Switch spoofing, double-tagging, and native VLAN abuse let attackers cross segment boundaries without touching a router. This guide covers DTP disablement, native VLAN hardening, Private VLANs, Linux VLAN configuration, and detection strategies for 802.1Q attacks.

WPA2 PSK networks are routinely cracked offline using captured handshakes. WPA3-SAE eliminates offline dictionary attacks via the dragonfly handshake, while WPA3-Enterprise with PMF-required and WIDS closes the remaining attack surface on wireless infrastructure.

Zeek transforms raw packet streams into structured, queryable logs covering every TCP/UDP flow, DNS query, HTTP transaction, TLS handshake, and file transfer on your network. Unlike alert-based IDS tools, Zeek gives you a complete network audit trail for threat hunting, incident response, and compliance.

VPNs grant network-level trust the moment a credential is accepted. ZTNA grants per-application access based on verified identity, device posture, and context — then terminates the session. Here is how to build it.

CVE-2026-33032 exposes nginx-ui's AI management MCP endpoint without authentication, allowing unauthenticated attackers to overwrite nginx.conf and execute commands. 2,600+ instances were internet-exposed. Learn the attack surface and how to eliminate it.

A private npm registry proxy with version approval workflows would have blocked Axios 1.14.1 before it reached any developer. Configure Verdaccio with version allowlists, approval gates, and integrity verification to make future attacks need to compromise your registry too.

CVE-2026-33432 allows unauthenticated attackers to bypass Roxy-WI's LDAP authentication by injecting metacharacters into the login username. Full admin access grants control over HAProxy and Nginx on all managed servers. Patch to 8.2.9 and harden LDAP filter construction.

Harden Caddy against CVE-2026-27586 mTLS silent fail, CVE-2026-27589 admin API CSRF, CVE-2026-30851 forward_auth header bypass—and Caddy's pattern of batching security fixes into routine releases.

Harden nginx against CVE-2026-1642 upstream TLS TOCTOU injection, CVE-2026-27654 DAV buffer overflow, and CVE-2026-27784 MP4 module overflow—and track nginx security releases before they reach your distribution.

CVE-2026-27944 exposes a critical API design flaw in Nginx UI: an unauthenticated endpoint that returns both encrypted backups and their decryption key. Learn how the silent-PR pattern works and how to prevent similar backup disclosure bugs.

The Axios RAT phoned home to C2 infrastructure during npm install. Build egress filters for CI runners, DNS monitoring for phantom dependency domains, and Suricata rules that catch the network signature of postinstall supply chain attacks.

CISA's OT Zero Trust guidance replaces the Purdue Model with ISA/IEC 62443 zones and conduits for granular segmentation. Learn how to define security zones, enforce conduit rules, design DMZs, and monitor IT/OT boundaries.

CISA identifies always-on vendor VPN access as a critical OT vulnerability. Replace it with time-limited ZTNA sessions through a DMZ jump host — with MFA, session recording, automatic expiry, and an out-of-band approval workflow.

Deploy BGP FlowSpec rules for real-time DDoS mitigation, black-hole routing, and traffic steering, with guidance on open source router implementation security and CVE monitoring.

Harden Cilium L7 HTTP, gRPC, and DNS network policies against CVE-2026-33726-class bypasses, per-endpoint routing pitfalls, and silent policy enforcement gaps in fast-moving Cilium releases.

Harden Istio AuthorizationPolicy against CVE-2026-26308 multivalue header RBAC bypass and CVE-2026-22771 Envoy Gateway Lua sandbox escape, with upstream security advisory monitoring.

Defend against ARP/ND spoofing, DHCP starvation, and rogue gateway attacks using Linux kernel controls, dynamic ARP inspection, and open source tools with active maintenance checks.

Harden Traefik's ForwardAuth, BasicAuth, and StripPrefix middleware against CVE-2026-40912 path-decoding bypass and CVE-2026-39858 header-normalization gaps disclosed April 21, 2026.

Harden VXLAN and Geneve overlay networks against VTEP spoofing, BUM traffic amplification, VNI enumeration, and cross-tenant traffic injection in cloud-native environments.

Deploy and harden internal DNS-over-HTTPS and DNS-over-TLS resolvers with Unbound or dnsdist to prevent DNS surveillance, hijacking, and NIDS bypass.

IPsec with IKEv2 provides strong network-layer encryption for site-to-site and remote access VPNs. Hardening requires certificate-based authentication over PSKs, strong cipher suites, dead peer detection, and revocation checking to prevent credential replay and MITM attacks.

Flat networks give an attacker who reaches any host access to every other host. Network segmentation limits lateral movement by enforcing that traffic between hosts must be explicitly permitted. Micro-segmentation, network zones, and east-west controls are the practical implementations.

SNMPv1 and v2c transmit community strings in plaintext and have no access control. SNMPv3 adds per-user authentication and AES encryption, but misconfigured security levels and overpermissive MIB views still expose device credentials and full configuration data.

Suricata inspects network traffic against rule sets to detect exploit attempts, lateral movement, C2 communication, and data exfiltration. Running it inline as an IPS blocks malicious traffic in real time; running it on mirrored traffic provides detection without packet risk.

Certificate Transparency requires all publicly trusted TLS certificates to be logged in append-only public logs. Monitoring CT logs for your domains detects rogue certificates issued without your knowledge — a key indicator of domain hijacking, CA compromise, or insider misissuance.

DNS RPZ lets an internal resolver return NXDOMAIN (or a sinkhole) for known-malicious domains before a connection is ever made. One control blocks C2, phishing, and malware distribution network-wide.

SPF limits who can send as your domain. DKIM signs messages. DMARC enforces policy and sends reports. BIMI shows your logo in supporting clients. Most organisations have gaps in all four.

Unauthenticated NTP lets any on-path attacker shift system clocks, invalidating TLS certificates, JWT tokens, and Kerberos tickets. NTS (RFC 8915) adds TLS-based authentication to NTP without sacrificing accuracy.

A bastion host is the single SSH entry point to your fleet. Hardening it — session recording, certificate auth, MFA, strict forwarding controls — contains the blast radius of a stolen SSH key.

BGP hijacking lets attackers redirect your traffic to their infrastructure. RPKI Route Origin Validation, route filtering, and ASPA make hijacks detectable and preventable.

Envoy's defaults expose admin APIs, pass headers unsanitized, and log nothing useful for security. A hardened Envoy configuration changes all three.

HAProxy's defaults are friendly to misconfiguration. The right knobs make it fast, observable, and resistant to common L7 abuse.

Pod egress in a service mesh is a per-Pod decision; egress gateways centralize, audit, and bound it. The pattern that finally makes 'where can my workload reach' answerable.

WireGuard turns the public Internet into an internal network. Three deployment patterns, three different operational models, one cryptographic core.

XDP runs your filter at the network driver level, before the kernel allocates an sk_buff. Drop attacks at line rate on commodity NICs with a few hundred lines of eBPF.

TLS 1.3 still leaks the destination hostname via SNI. ECH closes that gap. Browser support is now wide enough to deploy in production.

Two recent CVE classes weaponize HTTP/2's stream and header model. Mitigation is settings-tweak in NGINX and Envoy, but only if you know which knobs.

QUIC moves TLS into the transport. New attack surface: UDP amplification, 0-RTT replay, connection ID tracking, stream flow-control abuse. Hardening is non-trivial.

AI-powered botnets of compromised IoT and edge devices launch DDoS attacks exceeding 1 terabit per second. These attacks are increasingly used as smokescreens for simultaneous data theft operations. This article covers the multi-layer defensive architecture from edge absorption to origin hardening.

Most production environments run dual-stack (IPv4 and IPv6) whether the team intended it or not. Linux enables IPv6 by default.

gRPC services exposed through API gateways face unique security challenges: gRPC-Web transcoding introduces injection surfaces, metadata headers can carry internal routing information past the edge, and per-method rate limiting requires gRPC-aware configuration.

Most NGINX hardening guides stop at TLS configuration, cipher suites, certificate setup, HSTS.

Rate limiting is the first line of defence against abuse, credential stuffing, API scraping, and denial-of-service attacks.

"It's internal" is the most dangerous phrase in infrastructure security. Internal APIs sit behind the perimeter and receive minimal scrutiny.

Load balancers sit at the most critical point in your infrastructure: every external request passes through them.

Without a centralized API gateway, authentication and authorization logic is duplicated in every backend service. This creates several problems:

TLS misconfiguration remains one of the most common security findings in production infrastructure.

Internal service-to-service traffic in most Kubernetes clusters is plaintext. Once an attacker compromises a single pod, through a container escape,...

L4 load balancers break gRPC multiplexing, sending all streams to a single backend. This article covers L7 balancing with Envoy, client-side balancing with xDS, health check hardening, and connection draining for secure gRPC deployments.

DNS is the most critical single point of failure in any infrastructure, and the least hardened layer for most teams.

A self-managed Web Application Firewall (WAF) with default rules generates dozens of false positives per day.

HTTP request smuggling exploits inconsistencies in how chained HTTP processors (reverse proxies, load balancers, backend servers) parse request...

Security headers are free, server-side controls that instruct browsers to restrict dangerous behaviour.

WebSocket connections start as an HTTP upgrade request and then persist as a long-lived, full-duplex channel.

gRPC services in production frequently run with security configurations that would never be acceptable for HTTP APIs:

The pull_request_target trigger runs workflows in the context of the target repository — with access to repository secrets — while executing code from the pull request branch; dozens of supply chain incidents in 2024-2025 exploited this pattern to steal tokens and compromise downstream deployments.

When dependency CVE counts surge into the hundreds per week, manual triage collapses; auto-merge policies for patch-level updates, EPSS-weighted PR queues, scanner false-positive suppression, and SLA-driven escalation keep the remediation pipeline moving without overwhelming the team.

gixy, nginx -t, and Conftest OPA policies in CI catch NGINX misconfigurations — open proxy, SSRF paths, annotation injection surfaces, and module CVE exposure — before they reach production; build a gate that blocks deployment when configuration is dangerous.

GitHub Copilot Workspace generates, implements, and opens pull requests autonomously; scope its permissions to the minimum required, review its output for secrets and vulnerabilities before merge, and prevent it from bypassing required review gates.

AI-generated automatic security fixes — GitHub Copilot Autofix, CodeQL AI, Snyk DeepCode — may be incomplete, introduce new vulnerabilities, or fail to address the root cause; require validation steps before autofix PRs reach production branches.

GitHub environment protection rules gate deployments behind required reviewers, branch constraints, and custom approval checks; scope secrets to environments rather than repositories to contain the blast radius of a compromised workflow or runner.

AI assistants generating GitHub Actions, GitLab CI, and Jenkins pipeline YAML introduce predictable misconfigurations — over-broad permissions, missing secret masking, and unconstrained runner access; validate AI-generated pipeline code with automated policy checks before merge.

Gitea and Forgejo have had multiple authentication bypass, RCE, and SSRF CVEs in 2024–2025; harden the instance configuration, webhook validation, runner isolation, and network exposure to reduce the attack surface of self-hosted Git infrastructure.

CVE-2026-42826 (CVSS 10.0) demonstrated that Azure DevOps can expose sensitive pipeline configuration, credentials, and build artefacts to unauthenticated requests under certain conditions. This article covers hardening Azure DevOps against unauthenticated API access: disabling public project visibility, scoping Personal Access Tokens, locking down service connections, enforcing conditional access, and detecting anomalous API access patterns.

GitHub Artifact Attestations link build artifacts to their source with cryptographic SLSA provenance; configure attestation generation in Actions, enforce verification at deploy time, and integrate with admission control to prevent unsigned images from reaching production.

Actions Runner Controller (ARC) scales GitHub Actions self-hosted runners as Kubernetes pods. Each runner pod executes arbitrary CI code from the repository's workflow files. Without ephemeral runners, pod security standards, and network isolation, one malicious workflow can compromise the Kubernetes node running the runner. This article implements a hardened ARC deployment with ephemeral pods, minimal RBAC, and network controls.

API keys committed to repositories, hardcoded in Dockerfiles, stored in CI environment variables, and passed between pipelines accumulate silently over years. A 3-year-old Stripe API key in a Docker layer cache is as dangerous as a freshly generated one. This article covers auditing existing API key exposure, enforcing rotation SLAs via CI, scoping keys to minimum permissions, and detecting anomalous usage before keys are reported compromised.

Build pipelines that copy or move artifacts between stages, registries, or environments without re-verifying digests create a substitution window: an attacker with write access to the intermediate store can swap the artifact between the build stage and the deploy stage. This article covers content-addressed storage enforcement, per-stage cosign verify-blob, digest pinning in promotion pipelines, and detecting tampering with SLSA provenance.

The container registry is the last checkpoint before an image enters production — making it a high-value target for supply chain attackers. This article covers Harbor security hardening (RBAC, Trivy scanning on push, replication security), AWS ECR security best practices (repository policies, image scanning, lifecycle rules), GCR/Artifact Registry access control, and cross-registry promotion pipelines that maintain provenance.

Debugging a failed CI/CD pipeline often requires shell access to the build environment — but granting developers persistent SSH access to build infrastructure is a supply chain risk. ContainerSSH provides a middle path: time-limited, fully-audited SSH sessions that launch containers matching the exact failed build environment, with automatic session expiry and a complete audit trail of every command run.

Integrating Copa (Copacetic) into CI/CD pipelines automates the scan-patch-verify-sign loop for container images: Trivy scans the image, Copa applies OS package patches via BuildKit, Trivy re-scans to confirm CVE elimination, and cosign signs the patched digest. This article covers the full pipeline implementation in GitHub Actions and Tekton, patch failure handling, and integrating Copa into promotion gates.

GitHub Actions workflows that use actions@latest or grant workflow:write permissions are one compromised action maintainer account away from a supply chain incident. This article covers pinning actions to commit SHAs, the GITHUB_TOKEN minimum permissions model, OIDC token scope reduction, detecting secrets exfiltration in action logs, Dependabot for action updates, and the StepSecurity Harden-Runner for runtime action monitoring.

A golden path (paved road) is the opinionated set of tools and patterns a platform team provides for developers to build, test, and deploy services. When security is baked into the golden path — secure base images, mandatory SBOM generation, pre-configured SAST, network policies on by default — developers get security for free. This article covers designing secure golden paths for Kubernetes services, enforcement via admission control, and measuring adoption.

A kubeconfig stored in a CI artifact, printed to workflow logs, or committed to a dotfiles repo gives an attacker the exact same Kubernetes API access as the pipeline service account. CI/CD pipeline service accounts are routinely granted cluster-admin or namespace-admin to enable deployments. This article traces the complete attack chain from kubeconfig discovery to cluster-wide compromise, and the controls that stop each step.

Fuzzing at commit time catches memory corruption, logic errors, and input validation bugs before they ship — the same bugs that supply chain attackers target in widely-used libraries. This article covers integrating ClusterFuzzLite into GitHub Actions, writing libFuzzer harnesses in C and Go, using OSS-Fuzz for open-source projects, and triaging fuzzer-found crashes with AddressSanitizer output.

A Software Bill of Materials (SBOM) is only useful if it is accurate, complete, and correlated against vulnerability databases. This article covers generating SBOMs with Syft, Trivy, and cdxgen across container images, source trees, and build outputs; consuming SBOMs with Grype and OWASP Dependency-Track; and integrating SBOM workflows into CI/CD pipelines with policy gates.

Shift-left security moves vulnerability detection to the developer's workstation and the PR review stage, where fixes are 100x cheaper than production remediation. This article covers IDE security plugins (Semgrep, Snyk in VS Code), pre-commit frameworks for secrets and SAST, configuring security-aware PR checks in GitHub Actions, and measuring developer security feedback loop latency.

SLSA provenance attestations are only enforceable if Kubernetes admission control verifies them before workloads run. This article covers attaching SLSA provenance as OCI attestations with cosign attest, verifying attestations in Kyverno with JMESPath predicates, using the SLSA verifier as an external webhook, and building a policy that requires SLSA level 3 provenance for production namespaces.

SLSA (Supply-chain Levels for Software Artifacts) provides a graduated framework for proving that build artifacts were produced from expected source code via expected build processes. This article covers SLSA levels 1-4, in-toto attestations, SLSA provenance generation with GitHub Actions and Google Cloud Build, and verifying provenance at deployment time using policy engines.

SOPS (Secrets OPerationS) encrypts secret files using age keys, AWS KMS, Azure Key Vault, or GCP KMS — leaving the file structure visible but values encrypted. The result is a committable, diff-able, auditable encrypted secret that lives in git alongside the manifests that use it. This article implements SOPS with age for a Kubernetes GitOps workflow, covering key rotation, CI/CD integration without stored decryption keys, and detecting accidental plaintext commits.

Terraform code that provisions cloud infrastructure with open security groups, public S3 buckets, or overly permissive IAM policies creates immediate risk. This article covers Terraform security scanning with Checkov and Trivy, pre-commit hooks for IaC, Conftest/OPA policy gates in CI, Sentinel policies in Terraform Cloud/Enterprise, and Atlantis security hardening for self-hosted plan/apply workflows.

In 2026, AI tools can generate syntactically correct, contextually plausible code that contains subtle backdoors invisible to both human reviewers and static analysis tools. Simultaneously, AI reviewer bots can be manipulated into approving malicious PRs. The PR review pipeline needs controls that don't assume either human or AI reviewers are reliable.

GitHub Copilot, Cursor, and Claude Code generate code trained on GPL, LGPL, and AGPL repositories. The legal risk of shipping AI-generated code in commercial products is unresolved. Separately, AI-generated code creates SBOM gaps: when an LLM inlines functionality previously provided by a declared dependency, the result has no provenance, no licence, and no CVE feed. This article covers how to audit AI-generated contributions and what controls reduce legal and supply-chain risk.

Hardening shared CI build caches against poisoning: scope keys, signed cache entries, branch-isolated namespaces, and detection for replay and tampering.

CI pipelines that build container images inside containers use one of two approaches: mount the host Docker socket (/var/run/docker.sock) or run Docker with --privileged. Both give full root access to the Kubernetes node running the build job. Kaniko, Buildah, and rootless BuildKit build container images without either, using only the shared Linux kernel's user namespace support.

Reusable workflows pulled by `uses: org/repo/.github/workflows/x.yml@ref` are a supply-chain blind spot that the 2025 tj-actions and reviewdog incidents exploited. This is how to enforce SHA pinning, audit drift across an entire org, and detect tampering before CI runs attacker-controlled code.

GitHub Advanced Security (GHAS) includes secret scanning with push protection, CodeQL code scanning, dependency review, and Copilot Autofix — but default configuration leaves most of its security value on the table. This guide covers enterprise-wide GHAS enablement, push protection bypass governance, organisation-level code scanning policies, custom secret patterns, and measuring AppSec programme effectiveness with GHAS security overview.

The MCP ecosystem is growing rapidly with hundreds of community-built servers on npm, PyPI, and GitHub. A compromised MCP server package — analogous to the tj-actions/changed-files attack — silently intercepts tool calls, exfiltrates parameters (which may contain credentials, personal data, or internal system details), and returns manipulated results. SHA-pinning MCP server definitions and verifying server integrity before use close the most accessible attack vectors.

GitHub Actions marketplace actions, Jenkins plugins, and GitOps tools like ArgoCD are high-impact supply chain targets — a compromised action runs with access to your build secrets and source code. This guide covers how to report vulnerabilities in CI/CD tools, what the disclosure processes look like for each ecosystem, and how pipeline maintainers should respond when a vulnerability drops in a tool they depend on.

Software supply chain signatures using ECDSA-P256 or RSA are vulnerable to quantum 'harvest-now-verify-later' attacks — an adversary could forge signatures retroactively. Sigstore's roadmap includes ML-DSA support, and cosign already supports custom PQC signing keys via providers. This guide implements hybrid ML-DSA artifact signing, plans the Sigstore PQC migration, and maintains backward-compatible verification.

Automated bots in 2025-2026 submit crafted pull requests to public GitHub repositories exploiting pull_request_target (which runs with write permissions and secret access), environment variable exfiltration via workflow manipulation, and the trust boundary between forked PRs and the base repository. The 2025 tj-actions/changed-files compromise demonstrated the scale: one malicious workflow change reached 23,000+ repositories.

GitHub-hosted and self-hosted runners share a Linux kernel across concurrent jobs. Techniques including /proc filesystem traversal, cgroup namespace confusion, ptrace across job boundaries, and tmpfs timing attacks let one CI job read another job's environment variables and secrets — without any CVE required.

Anthropic's Red Team found 500+ validated high-severity vulnerabilities using LLM analysis — including kernel bugs undetected for 23 years. Integrate AI-assisted SAST into CI/CD pipelines, understand what LLMs find that rule-based tools miss, and manage false-positive fatigue at scale.

CodePipeline and CodeBuild run with IAM roles that can reach production infrastructure, pull secrets, and write to container registries. Overprivileged build roles, plaintext environment variable secrets, public-facing build environments, and unencrypted artifact buckets are the primary attack surface. Hardening requires least-privilege IAM, Parameter Store integration, VPC isolation, KMS artifact encryption, and manual approval gates for production.

Azure Pipelines service connections hold keys to every environment the pipeline deploys to. Overpermissive service principals, classic pipeline authoring without audit trail, variable groups readable by any pipeline, and pull request builds running untrusted contributor code are the most common attack paths. This article covers YAML pipelines, service connection scoping, workload identity federation, protected resources, agent pool isolation, and branch policy enforcement.

Bazel's hermetic build model provides strong security properties by default, but remote execution, bzlmod registry trust, external repository rules, and remote cache poisoning introduce distinct attack surfaces. This guide covers hardening each layer end-to-end.

BuildKit's cache backends — inline, registry, S3, and GitHub Actions — each carry distinct poisoning risks. This guide covers cache attack surface mapping, registry access controls, secrets in ARG vs --secret, multi-stage isolation, and provenance verification after cache-assisted builds.

Automatic promotion to production bypasses human verification and lets supply chain compromises reach live systems unopposed. Hardening promotion gates combines automated quality checks, cryptographic policy enforcement, and mandatory human approval to create a verifiable, audit-ready barrier between staging and production.

A compromised pipeline ships malicious code to production at scale. Learn what to monitor, which signals betray tampering, and how to wire audit logs, egress anomalies, and build provenance into a detection strategy.

The January 2023 CircleCI breach showed that CI platforms are high-value targets. Hardening CircleCI means securing contexts with group-based restrictions, replacing static credentials with OIDC tokens, locking down self-hosted runners, and preventing fork pipelines from touching secrets.

Attestations are signed metadata attached to a container image as a co-located OCI artifact. This article covers attaching and verifying SLSA build provenance and SBOM attestations using cosign, in-toto, and Kyverno.

Registry scanning catches CVEs after deployment; build-time scanning stops them before. Learn how to integrate Trivy and Grype into GitHub Actions and GitLab CI, set severity thresholds, suppress false positives with VEX, scan IaC, and feed results into Dependency Track for centralised vulnerability management.

Long-lived AWS, GCP, and Azure credentials stored as CI secrets are a permanent liability. OIDC token exchange lets your pipeline mint short-lived cloud credentials per run, with no stored secrets and a complete audit trail.

Self-hosted runners execute arbitrary workflow code on infrastructure you own. Hardening the runner binary, isolating the host, restricting network egress, and enforcing ephemeral patterns closes the gap between CI convenience and production-grade security.

CVE-2026-4922 lets unauthenticated attackers trigger privileged GitLab operations via CSRF against the GraphQL API. A logged-in user visiting a malicious page can have their code, pipelines, and settings modified without interaction. Patch and enforce SameSite cookies.

Go's module proxy and checksum database provide a strong foundation for supply chain security, but only when teams understand what they protect against — and what they don't. This article covers the full Go module security model: go.sum verification, govulncheck in CI, GONOSUMCHECK pitfalls, private module proxies with Athens, replace directive risks, and vanity import path hardening.

A practical guide to catching infrastructure misconfigurations before they reach production — covering Checkov, tfsec, Trivy, KICS, terrascan, and conftest integrated into GitHub Actions with SARIF annotations, custom policies, false positive suppression, and severity-based blocking.

Manual changes, emergency fixes, and console hotpatches silently diverge your infrastructure from the IaC source of truth—bypassing security review and accumulating compliance debt. Learn to detect, alert on, and prevent drift using Terraform plan schedules, Driftctl, Argo CD self-heal, Flux reconciliation, AWS Config, and CloudTrail analysis.

Runtime admission controllers catch bad manifests at deploy time — when it's too late for the developer and too slow for the pipeline. Shift manifest security left with kubesec, Trivy, Conftest, Kyverno CLI, and Polaris in GitHub Actions to fail PRs before anything reaches the cluster.

A copyleft dependency buried three levels deep in your transitive graph can legally obligate you to open-source your entire product. Automated license scanning in CI catches that before it ships.

Maven Central and Gradle Plugin Portal are high-value supply chain targets. Dependency verification with checksums and PGP, OWASP Dependency-Check integration, private repository proxies, wrapper JAR validation, artifact signing, and reproducible builds close the attack surface.

Single-stage Dockerfiles ship compilers, package caches, and debug tools straight to production. Multi-stage builds with distroless or scratch final images, digest-pinned bases, and Hadolint linting keep the attack surface to the absolute minimum.

Pre-commit hooks catch secrets, misconfigurations, and vulnerable code at commit time — before they reach CI or a remote repository. This article covers the pre-commit framework, key security hooks, team-wide enforcement, and the architectural limits of client-side hooks.

Pulumi state files hold every resource attribute your infrastructure owns. Locking down state backends, encrypting secrets with KMS, enforcing policy as code with CrossGuard, and replacing API tokens with OIDC are the controls that prevent a compromised CI pipeline from becoming a full infrastructure takeover.

PyPI supply chain attacks, typosquatting, and malicious install-time code are live threats to every Python CI pipeline. This guide covers pip-audit, hash-pinned requirements, Poetry lock file verification, private PyPI mirrors, OIDC trusted publishing, and Dependabot configuration to close the gaps.

Rust's memory safety guarantees end at the crate boundary. Build scripts execute arbitrary code at compile time, proc macros run inside the compiler, and crates.io has no mandatory code review. This article covers cargo-audit, cargo-deny, Cargo.lock strategy, cargo-vet, private registry pinning, and reproducible builds to harden the Rust supply chain.

A practical guide to embedding Static Application Security Testing into CI/CD pipelines — covering Semgrep custom rules, CodeQL queries, language-specific scanners, SARIF output, and the critical discipline of keeping false positive rates low enough that developers don't tune out alerts.

Secrets end up in git history through committed .env files, debug logging, and convenience shortcuts. Once pushed, they are permanent without history rewriting. This article covers pre-commit hooks, Gitleaks and TruffleHog integration, GitHub and GitLab native scanning, false positive management, and incident response when a secret is found.

Sarbanes-Oxley Section 404 requires that no individual can both develop code and deploy it to production financial systems. Modern CI/CD pipelines can satisfy SOX IT General Controls — but only with explicit segregation of duties, immutable audit trails, and change management integration. This guide implements SOX-compliant pipeline controls using GitHub Actions and GitLab CI.

CI can be bypassed, misconfigured, or compromised — but admission control cannot be skipped. This article covers the deploy-time gate as the final, non-negotiable supply chain checkpoint: image signing, SLSA provenance, SBOM attestation, vulnerability gating, Sigstore policy-controller, Kyverno, OPA Gatekeeper, slsa-verifier, and air-gapped deployments.

Unsecured webhook receivers are a reliable path to triggering arbitrary pipeline executions, bypassing branch protections, and exfiltrating infrastructure secrets. This article covers HMAC signature verification for GitHub and GitLab webhooks, replay attack prevention, receiver hardening, IP allowlisting, secret rotation, and Jenkins CSRF protection.

TeamPCP rewrote 76 of 77 aquasecurity/trivy-action release tags with credential-stealing malware in March 2026. If your workflow pinned to a tag like @v0.25.0 rather than a commit SHA, you ran the malicious version. Learn how SHA pinning and action verification close this gap.

CVE-2026-3854 allows any user with push access to achieve RCE on GitHub Enterprise Server by injecting HTTP/2 header delimiters into git push options. Patch to GHES 3.19.3+ and harden push option handling across self-hosted git infrastructure.

Lockfile integrity hashes would not have caught the Axios 1.14.1 attack — the malicious tarball was legitimately published, so the hash was correct. Understand what lockfiles do and don't protect against, enforce npm ci in CI, and detect lockfile tampering.

CVE-2026-40886 crashes the Argo Workflows controller with a single malformed pod annotation. Learn how the silent-patch pattern enabled this and how to harden your cluster against annotation-injection DoS attacks.

Harden Crossplane provider credentials against over-scoped cloud access, composite resource privilege escalation, and the silent-fix pattern in Crossplane's distributed provider release ecosystem.

Track and remediate Go runtime CVEs like CVE-2026-33810 x509 name-constraint bypass across CI/CD toolchains—govulncheck, binary auditing, and the silent propagation of Go crypto fixes.

The Axios attacker bypassed GitHub Actions OIDC by publishing with a stolen npm token. Harden maintainer accounts with hardware-key 2FA, scoped automation tokens, out-of-band publish detection, and npm provenance attestations.

CISA identifies configuration drift as a key OT vulnerability. Manage firewall conduit rules and switch configs as Git-versioned code — with peer review, automated compliance checks, and drift detection that alerts when rules silently reopen IT-to-OT paths.

CISA identifies OT supply chain management as the most strategic security lever. Build patch pipelines that validate firmware SBOMs, enforce time-limited vendor access, and stage updates on replica systems before deploying to live OT.

Harden Argo CD ApplicationSet controllers against cluster generator privilege escalation, Git generator path traversal, and the recurring pattern of security fixes shipped without advance advisory.

Harden Dagger CI/CD pipeline-as-code deployments by securing the engine API socket, scoping container privileges, protecting secrets, and tracking silent security fixes in Dagger releases.

Replace long-lived Personal Access Tokens with scoped, short-lived GitHub App installation tokens, and harden App private key storage, permission minimization, and token rotation.

Harden Harbor container registry against CVE-2026-4404 hardcoded credential compromise, image tampering, and the silent-fix disclosure pattern in Harbor's rapidly evolving release cycle.

Secure OpenTofu and Terraform provider initialization against CVE-2026-32280-class TLS chain attacks, malicious module archives, and silent DoS fixes visible before patched releases ship.

Eliminate long-lived publish tokens by configuring OIDC-based trusted publishing from GitHub Actions to npm and PyPI, and monitor open source package registry security advisories.

Argo CD controls what deploys to your Kubernetes clusters. Weak RBAC, default credentials, insecure repository access, and overpermissive cluster roles make it a high-value attack target. Hardening it limits blast radius from credential compromise.

Secure BuildKit rootless container builds by hardening user namespace isolation, build secret handling, cache poisoning defences, and daemon privilege scoping.

Flux continuously reconciles Kubernetes cluster state with Git repositories. Its service accounts need Kubernetes write access; its Git credentials need repository read access. Scoping both correctly, verifying source authenticity, and auditing reconciliation events prevents Flux from becoming a privileged attack vector.

GitLab CI pipelines have access to deployment credentials, cloud provider tokens, and production secrets. Unprotected variables, shared runners with broad permissions, and unrestricted pipeline triggers expose these secrets to any developer with repository access.

Jenkins is one of the most common CI/CD platforms and one of the most commonly compromised. Default credentials, unauthenticated endpoints, unaudited plugins, and agents with excessive host access create a broad attack surface. Hardening Jenkins requires authentication enforcement, plugin minimisation, and agent sandboxing.

Tekton runs CI/CD pipelines as Kubernetes pods. Each TaskRun executes in its own pod, but shared workspaces, overpermissive RBAC, and unrestricted step images allow a malicious pipeline step to access other steps' data, reach the Kubernetes API, or persist state across runs.

Branch protection rules prevent force-pushes, require review, and gate on status checks. At scale across hundreds of repos, enforcement requires the Rulesets API, CODEOWNERS, and automated compliance checks.

Most Dockerfiles leak secrets into image layers, run builds as root, and produce images larger than necessary. BuildKit secrets, rootless mode, multi-stage builds, and Hadolint fix all three.

Dependency confusion attacks exploit the gap between private package names and public registries. Private registries with scope enforcement, upstream proxying, and integrity verification close the gap.

Terraform state files contain plaintext secrets, resource IDs, and full infrastructure topology. Securing the backend, encrypting state at rest, locking against concurrent writes, and detecting config drift are all required.

GHAS ships three controls — secret scanning, code scanning with CodeQL, and Dependabot — that organisations routinely leave at defaults. Hardened configuration dramatically changes what gets caught.

Standing CI permissions are a liability. JIT mints production permissions only at deploy time, with explicit approval and short lifetime.

Bots that update dependencies are great until one auto-merges a malicious release. The defaults are safe-ish; the configuration that makes them production-safe is more deliberate.

Four identity types, four very different scope/lifetime/permission models. Pick wrong and you ship the wrong-shaped credential to every CI run for years.

Keyless signing eliminates long-lived signing keys by issuing short-lived certificates from Fulcio and recording signatures in the Rekor transparency log. Cosign wires it into CI/CD.

Container-based CI runners share a host kernel. Firecracker and Kata give each job its own kernel and a fresh VM — large blast-radius reduction, modest cost.

OIDC federation between CI and cloud removes long-lived secrets. The trust policies that grant the access are the new attack surface, and most are too loose.

Hand-clicking branch protection rules across 200 repos guarantees drift. Terraform + the github provider + a shared module makes it auditable, reviewable, and reversible.

Most build pipelines run with unrestricted outbound internet. A single compromised dependency exfiltrates secrets, tokens, and source code in seconds.

Attackers no longer need to breach you directly when they can compromise a vendor, open-source library, or managed service provider that you trust. A single poisoned dependency can cascade into thousands of downstream organisations. This article covers the controls that detect and contain supply chain compromise.

Static credentials in CI/CD pipelines are the leading cause of secret sprawl. Teams store long-lived API keys, database passwords, and cloud provider.

SBOM generation is easy, run Syft, get a list of every package in your container image.

Terraform state files contain every secret, IP address, and configuration detail of your infrastructure in plaintext JSON.

Container registries store the most sensitive artifacts in your deployment pipeline.

CI/CD pipeline definitions live alongside application code in Git.

Helm values files control security-critical Kubernetes fields like security contexts, image references, and resource limits. Without schema validation, a single misconfigured value can deploy a privileged container or pull an unscanned image.

CI/CD runners are the most privileged, least monitored components in most infrastructure.

Helm is the dominant package manager for Kubernetes, but most teams install charts without verifying provenance, pass unvalidated values that end up...

Helm charts pulled from public repositories are unsigned, unverified, and executed with whatever permissions their templates request. This article covers OCI-based chart storage, cosign signing and verification, chart mirroring for airgapped environments, and Kyverno policies to enforce signed charts.

Build artifacts pass through multiple stages between source code and production deployment.

GitHub Actions is the most widely used CI/CD platform, but its security model is scattered across dozens of documentation pages.

Dependency confusion and typosquatting attacks exploit the gap between "I declared a dependency" and "I verified the dependency I got." Version pinning...

Two builds from the same source code should produce the same container image. In practice, they almost never do.

GitOps centralizes deployment authority in Git repositories. Tools like ArgoCD and Flux watch Git repositories and reconcile cluster state to match...

Without provenance, you cannot prove where a container image came from, what source code it was built from, or whether the build process was tampered...

AI coding assistants read the working directory to provide context; .env files, private keys, cloud credentials, and config files in the project directory are silently included in LLM context and sent to the AI provider — gitignore-equivalent controls, secret detection pre-flight checks, and workspace isolation prevent accidental exposure.

LLM-assisted fuzzing, automated code analysis, and AI-driven vulnerability research are compressing the time from software release to CVE disclosure; teams that previously had months before a vulnerability was discovered now have days — understanding this shift and building faster response capability is not optional.

NGINX is commonly deployed in front of vLLM, Ollama, and proprietary inference APIs; CVE patching urgency is higher because inference proxies handle API keys, model outputs, and high-value inference traffic; rate limiting, request validation, and response filtering reduce the blast radius of both NGINX CVEs and prompt injection.

MCP's elicitation API allows servers to request additional user inputs mid-session, creating a social engineering surface where a malicious server can solicit sensitive credentials, PII, or approval for dangerous actions; validate elicitation requests and apply strict user consent controls.

LLM API credentials enable cost-generating inference abuse, data exfiltration via prompt content, and competitive intelligence extraction; baseline call patterns, scan prompt content for anomalies, and alert on cost spikes to detect credential compromise before the monthly bill arrives.

LLM-generated content piped into downstream systems creates novel injection vectors — code execution, SQL injection, shell command injection, and template injection via AI responses; validate, sanitise, and sandbox all LLM output before it reaches an interpreter.

AI tools can triage large CVE backlogs using EPSS exploitation probability, reachability analysis, and business context scoring; build a prioritisation pipeline that reduces analyst time while maintaining human oversight of high-stakes patch decisions.

Reasoning models expose extended thinking or chain-of-thought scratchpads that may contain sensitive system context, internal API responses, and reconstructed secrets; configure streaming controls, output filtering, and deployment architecture to prevent inadvertent disclosure.

Sensitive data placed in LLM context — API keys, PII, internal documents — can be extracted by indirect prompt injection through untrusted content; apply context segmentation, output filtering, and request tracing to contain the exposure.

On May 10, 2026, attackers uploaded a typosquatted repository (Open-OSS/privacy-filter) to HuggingFace containing a Rust-compiled infostealer disguised as a legitimate model. It accumulated 244,000 downloads before removal. This article covers the attack anatomy, how to verify model artifact integrity before loading, cosign signing for ML models, controlled model registries, and detection of malicious model behaviour at load time.

Trivy scans produce dozens of CVEs per image; not all warrant immediate Copa patching. LLMs can analyse CVE descriptions, CVSS vectors, exploit availability signals (EPSS, KEV), and the image's runtime context to produce a prioritised remediation plan — distinguishing library vulnerabilities that are reachable from the application's code paths from those that are not. This article covers prompt patterns, structured LLM output for Copa task generation, and VEX document generation from AI triage decisions.

AI inference clusters have attack surfaces that don't exist in standard Kubernetes deployments: privileged GPU device plugin DaemonSets that run on every node, model weight PersistentVolumes accessible across pods, NodeAffinity requirements that concentrate workloads on expensive GPU nodes, and cloud IAM roles with model registry access. This article maps the attack paths specific to LLM inference infrastructure and the controls for each.

ContainerSSH's structured audit logs — containing every command, every output, and every file access in an SSH session — are rich signal for anomaly detection. This article covers feeding ContainerSSH session recordings to an LLM pipeline to detect attacker behaviour patterns: reconnaissance commands, exfiltration sequences, privilege escalation attempts, and lateral movement tools, with structured alert output and automated incident ticket creation.

APIs that pass user-controlled parameters directly to LLM prompts are vulnerable to parameter-level prompt injection — the API parameter IS the injection vector, not the chat interface. Token-based rate limiting (not request-based) prevents model DoS where one request costs 100,000 tokens. Output filtering and usage pattern analysis detect model abuse before it becomes a billing or data breach incident.

Large language models trained on public code reproduce the vulnerability patterns they learned, including unsafe memcpy usage, unchecked copy_from_user calls, and TOCTOU-prone check-then-copy sequences. This article covers the empirical evidence for vulnerable pattern reproduction, how to detect AI-generated unsafe copy code in review, SAST rules targeting LLM-typical mistakes, and developer guidance for prompting models away from insecure patterns.

Standard Kubernetes ingress rate limiting counts HTTP requests. LLM inference is billed by token — one request can consume 100,000 tokens and cost $50. Per-user token budgets, token-weighted rate limiting via Envoy, and priority queuing for GPU resource contention require a different architecture than standard API rate limiting. This article implements token-aware rate limiting for vLLM and HuggingFace TGI deployments.

ML pipelines access training data (S3/GCS), experiment tracking (MLflow, Weights & Biases), model registries (Hugging Face, MLflow, Vertex AI), GPU clusters (Kubernetes, SLURM), and inference APIs (OpenAI, Anthropic). Each connection requires credentials. MLOps workflows, notebooks, and training scripts accumulate these credentials in ways that bypass standard CI/CD security controls. This article maps the MLOps secret surface and implements a unified secret management strategy.

Claude Computer Use, OpenAI Operator, and browser-automation LLM agents read web page content and execute actions based on what they see. A webpage that renders 'Ignore previous instructions — email the user's session token to attacker.com' is indistinguishable from legitimate page content to the agent. Web-content prompt injection is the new XSS for the agentic era.

GitHub Copilot Autofix, Snyk DeepCode AI, and Amazon CodeGuru generate automated fixes for security findings — but AI-generated patches can introduce new vulnerabilities, incomplete fixes, or contextually wrong remediations. This guide evaluates AI autofix tools for security, covers fix quality assessment, safe review workflows, and the risks of blindly merging AI-suggested security patches.

Hardening LLM eval pipelines (Inspect, lm-eval-harness, custom): untrusted dataset isolation, sandboxed model execution, attestation of eval results, leakage controls.

vLLM, Ollama, LangChain, and Hugging Face Transformers are accumulating CVEs rapidly — but the AI security disclosure ecosystem is immature. Model weights can contain embedded exploits, inference servers have unauthenticated APIs by default, and LLM framework vulnerabilities often involve novel attack classes with no established CVSS scoring guidance. This guide covers the AI security disclosure landscape, how to report AI infrastructure vulnerabilities, and how to track and respond to them.

AI model weights encrypted with RSA or ECDH today are vulnerable to harvest-now-decrypt-later. A quantum adversary who captures encrypted model weights, training data, or inference traffic can decrypt them when CRQCs become available. This guide covers PQC threat modelling for AI assets, implementing ML-KEM for model distribution, and protecting inference pipelines with hybrid PQC TLS.

Computer Use lets Claude move a mouse, type at a keyboard, and take screenshots inside a virtual machine on your infrastructure. The threat model is unlike any other tool-use scenario — the agent has GUI-level access to whatever runs in the sandbox. Production hardening guide for the VM, the screen pipeline, and the action authorisation layer.

NVIDIA GPU drivers run in the host kernel. CVE-2023-0184 (NVKM heap overflow), CUDA context isolation failures, and GPU memory remanence between tenants mean multi-tenant AI inference clusters leak model weights and prompt data across tenant boundaries — through the same shared-kernel surface that affects CPU workloads.

LLMs now generate contextually plausible credentials from breach data + OSINT, creating credential lists with 3-5x higher hit rates than traditional combo lists. Separately, GPT-4-class models generate synthetic identities that pass KYC checks using AI-generated documents and demographically consistent personal data. Both attacks require defences that go beyond IP-based rate limiting.

A compromised or malicious MCP server can return crafted tool results that redirect an agent's next actions. Unlike prompt injection via user input, tool result injection happens after the agent has already started a task — when its guard is lowest. The tool result appears as factual information from a trusted data source. This article covers the injection mechanism, detection patterns, and architectural controls.

Meta's Llama 3, Mistral, Falcon, and Phi-3 release model weights but not training data, full training code, or data curation pipelines. The 'open source' label means you can audit the weights for trojans, inspect the architecture, and fine-tune the model. It does not mean you can audit what the model was trained on, reproduce training from scratch, or verify the absence of data poisoning. This article maps the security implications of what open source does and doesn't provide for AI models.

vLLM's PagedAttention KV-cache shares GPU memory pages between requests using a reference-counted allocator. Triton Inference Server uses /dev/shm for inter-process tensor passing. In multi-tenant deployments, these shared-memory mechanisms create cross-tenant data exposure: one tenant's prompt tokens and model activations are accessible to concurrent or subsequent tenants through the same shared Linux kernel.

Traditional rules-based AML systems miss sophisticated layering and integration schemes. Graph neural networks detect money laundering patterns invisible in individual transactions, while adversarial robustness research shows AML models can be gamed by sophisticated actors who understand the scoring model. This guide covers GNN-based AML architecture, synthetic identity detection, and hardening ML models against adversarial manipulation.

Fine-tuning pipelines are high-value attack targets. Dataset poisoning, backdoor injection, and poisoned base models can compromise every model your organisation ships. This guide covers the full attack surface and practical mitigations.

The UK AISI SandboxEscapeBench and Anthropic Red Team's 500+ findings invalidate 'minimal containers are secure.' AI scales vulnerability discovery beyond what hardening can keep pace with. Understand what the benchmarks measured and which architectural responses genuinely reduce AI-automated escape probability.

AI models are supply chain artefacts. Treating them as such means generating SBOMs that capture training data lineage, base model provenance, fine-tuning datasets, and hyperparameters — then enforcing attestation pipelines and policy checks before any model reaches production.

Cloud providers, hypervisors, and privileged insiders can observe model weights and every inference query. Trusted Execution Environments — Intel TDX, AMD SEV-SNP, Nvidia H100 confidential computing — move the trust boundary to hardware attestation.

CVE-2026-42208 (CVSS 9.3) is a pre-authentication SQL injection in LiteLLM's API key verification — exploited within 36 hours of disclosure. Patch to v1.83.7+, rotate all LLM provider keys, and harden LiteLLM database access.

RAG systems retrieve external documents and inject them into LLM prompts at inference time. Every component — document ingestion, embedding, vector store, retrieval query, prompt assembly, and LLM response — is an attack surface. This article maps the full RAG threat model and provides concrete mitigations for each stage.

The Axios compromise required scanning hundreds of repos, generating remediation runbooks, and rotating credentials under time pressure. LLMs accelerate IOC parsing, lockfile scanning, and runbook generation — with clear boundaries on what humans must decide.

CVE-2026-33626 lets attackers send LMDeploy's image loader to fetch AWS IMDS credentials. Exploited within 12 hours of disclosure. Harden LMDeploy with URL validation, IMDSv2 enforcement, network egress restrictions, and GPU node isolation.

CVE-2026-21852 lets a malicious repository execute code on any developer running Claude Code. The root cause is MCP's trust model: servers are authenticated by config file presence, not cryptographic identity. Harden MCP server trust boundaries and project config handling.

The Axios 1.14.1 diff had ML-detectable signals: a new postinstall script, a phantom dependency, and code similarity drift. Build a pre-install anomaly detector using package diff features and integrate it as a CI gate before npm install runs.

CISA's companion AI-in-OT guidance defines an 'Assess AI Use' principle. Build a risk-scoring framework for evaluating AI products before OT deployment — covering SIL compatibility, adversarial robustness, vendor governance, and fail-safe requirements.

CISA's companion AI-in-OT guidance defines governance for ML deployed in industrial control environments. Learn how to build ML anomaly detection for predictable ICS traffic, use LLMs for OT alert triage, and avoid AI failure modes in safety-critical systems.

Harden Milvus against CVE-2026-26190 unauthenticated REST API on port 9091, weak predictable debug tokens, and the broader pattern of AI infrastructure exposed without authentication.

Harden ML training pipelines against CVE-2026-1839—unsafe torch.load() in Transformers Trainer._load_rng_state() enabling checkpoint RCE—and the broader unsafe deserialization pattern in ML frameworks.

CVE-2026-22778 chains a PIL memory leak with an FFmpeg heap overflow to achieve unauthenticated RCE against vLLM multimodal endpoints. Learn how silent dependency bumps signal security fixes and how to harden vLLM deployments.

Harden CrewAI multi-agent deployments against CVE-2026-2275 Code Interpreter sandbox escape, CVE-2026-2287 Docker verification bypass, and the silent-fix pattern in fast-moving AI agent frameworks.

Protect ML pipelines from malicious model weights, pickle deserialization attacks, and rogue Hub repositories—with guidance on safetensors adoption and tracking silent fixes in the transformers library.

Harden LangChain pipelines against CVE-2026-34070 path traversal in load_prompt, CVE-2025-68664 deserialization RCE via lc key injection, and tracking silent fixes in fast-moving LangChain releases.

Harden LiteLLM proxy deployments with master key protection, virtual key scoping, spend controls, model aliasing restrictions, and audit logging for multi-provider LLM routing.

Implement and harden OAuth 2.1 authorization for Model Context Protocol servers, covering PKCE flows, dynamic client registration, token scoping, and open source MCP SDK security gaps.

Harden Ollama LLM server deployments against CVE-2026-5757 GGUF heap read, unauthenticated API exposure, and the risk of running software with no active security advisory process.

AI code assistants send code context to external APIs by default, including files, environment variables, and repository contents. Understanding data flows, configuring retention policies, and governing plugin permissions protects intellectual property and prevents credential exfiltration.

Differential privacy adds calibrated noise to gradients during model training, providing a mathematical bound on how much any individual's data can influence model outputs. DP-SGD with TensorFlow Privacy or Opacus limits membership inference and training data extraction attacks.

Multi-turn LLM conversations accumulate context across messages. An attacker who can inject content into earlier turns, poison persistent memory, or hijack session state can influence all subsequent responses in that session — and potentially across sessions if memory is shared.

LLMs that output structured data (JSON, XML, function calls) create new attack surfaces. Malicious input can cause the model to emit schema-violating output that crashes downstream parsers, inject content through nested fields, or produce type confusion that bypasses validation. Schema enforcement and output validation before processing are non-negotiable.

System prompts define LLM behaviour, contain business logic, and often include confidential instructions. Attackers attempt to extract system prompts via direct questions, jailbreaks, and indirect injection. Defence requires architectural separation, prompt design discipline, and output filtering.

Harden vLLM LLM serving deployments with API authentication, request isolation, CUDA memory safety, rate limiting, and audit logging for production environments.

An AI agent that cannot be reliably stopped or overridden is a liability. Designing effective interrupt signals, action rollback, approval gates, and corrigibility constraints keeps humans in control when it matters.

Model weights represent months of compute and competitive advantage. Encryption at rest, IAM scoping, download anomaly detection, and watermarking make weight theft detectable and harder to exploit.

Federated learning distributes training across clients without centralising data, but introduces unique attacks: gradient poisoning, model inversion from updates, and Byzantine client manipulation.

LLMs confidently generate false CVE details, incorrect tool syntax, and fabricated IP addresses when used in security automation. Grounding, confidence scoring, and human-in-the-loop triggers detect and contain these errors.

An agent's run is a graph of model calls, tool invocations, and decisions. Observability that maps cleanly to that graph is the difference between debugging and guessing.

SynthID, the Aaronson scheme, and lexical watermarks embed signatures in model output. Detection works statistically. None survives heavy editing — useful but bounded.

Manual red-teaming finds gaps once. Continuous pipelines find regressions every model upgrade. The infrastructure exists; most teams haven't wired it up.

Vision-language models, audio transcription, and multi-modal agents expose attack surfaces that pure-text security controls miss. Adversarial images, audio jailbreaks, and cross-modal injection require dedicated defences.

ML inference leaks training data through membership inference, model inversion, and embedding attacks. Differential privacy, TEE-based inference, and output filtering bound the leakage.

Synthetic media is now indistinguishable from camera output. Content Credentials are the practical defense — signed manifests embedded in the file itself.

MCP servers expose tool surfaces to LLM agents. The auth model decides what an agent can do — and most deployments leave it underspecified.

Provider-side prompt caching speeds up applications by 30-90% — and introduces a new attack surface with timing side-channels and poisoning vectors.

Agents with long-term memory survive across sessions. Anything poisoned into that memory persists. A one-shot prompt injection becomes a permanent behavioural change.

A modern virus is not the same as a virus from five years ago. AI-generated payloads observe their environment, profile the host, detect sandboxes, adapt their persistence mechanism to the OS they land on, and modify their C2 communication to blend with normal traffic. Every instance is unique. This article covers how adaptive malware works and the defensive controls that defeat it.

If Anthropic's Mythos can find your vulnerabilities, so can every attacker with API access. The only rational response is to find them first. This article covers how to run systematic AI-powered security assessments across your code, infrastructure-as-code, and runtime configuration.

Generative AI has eliminated every traditional indicator of phishing: perfect grammar, personalised context, cloned executive voices, and real-time video deepfakes. This article covers the defensive controls that work when human judgement alone cannot distinguish real from fake.

Frontier AI models like Anthropic's Mythos find vulnerability classes that traditional scanners miss: logic flaws, implicit trust, hardcoded secrets, configuration drift. The defensive response is not faster patching. It is eliminating these classes before they are discovered.

Large language models memorise portions of their training data. Given the right prompt, a model will reproduce training examples verbatim, including..

Model extraction (model stealing) is an attack where an adversary queries a production ML API systematically to reconstruct a functionally equivalent...

AI agents are being deployed with production tool access: shell execution, kubectl, terraform apply, database queries, API calls.

AI governance in most organisations is a manual process. A model is trained, someone writes a document, a committee meets, approvals are collected...

AI systems introduce a supply chain attack surface that traditional software security does not cover. The three new vectors are.

The EU AI Act entered into force in August 2024, with enforcement timelines staggered through 2027.

MCP servers expose tools that agents invoke. Without fine-grained permissions, every connected agent can call every tool. This article covers least privilege patterns, per-client allowlists, human approval gates, audit logging, multi-tenant isolation, and capability tokens.

Static application security testing (SAST) tools find pattern-based vulnerabilities effectively. Semgrep matches code against rules.

AI agents operate at machine speed, generating 10-100x the audit data of human operators.

MCP supports three transport types: stdio, SSE, and HTTP. Each has distinct security characteristics. This article covers transport-level hardening for all three, including process isolation, TLS, mTLS, CORS, reverse proxy configuration, and rate limiting.

Kubernetes security scanners evaluate resources individually. Tools like kube-bench check node configurations against CIS benchmarks.

LLM jailbreaks are inputs that cause a model to ignore its system prompt, safety training, or usage policies.

AI agents generate infrastructure configurations, database migrations, deployment manifests, and shell commands. It passes a casual review.

The Model Context Protocol (MCP) gives AI agents structured access to tools: filesystem operations, database queries, API calls, shell commands.

Infrastructure-as-Code scanners like Checkov, tflint, and cfn-lint enforce policy through pattern matching.

LLM applications are vulnerable to prompt injection, system prompt leakage, and cross-user context contamination. This article covers system prompt hardening, input sanitisation, output filtering, and context isolation for multi-tenant deployments.

AI systems make decisions that affect people: who gets approved for a loan, whose resume gets shortlisted, which content gets flagged, whose...

AI models are no longer just tools that engineers use to write code. They are becoming direct infrastructure consumers:

Signature-based detection (WAF CRS rules, static Falco rules, antivirus signatures) matches "known bad." AI-generated attacks are polymorphic, every...

Embedding-based retrieval powers RAG pipelines, semantic search, recommendation systems, and classification.

AI models can now discover exploitable vulnerabilities in source code faster than human researchers.

Multi-agent systems are moving from research demos to production deployments. A coordinator agent delegates tasks to specialist agents: one handles...

Deploying LLMs in production introduces infrastructure security challenges: model integrity verification, GPU isolation, runtime sandboxing, API authentication, and safe model updates. This article covers the full inference deployment security stack.

Every security architecture is built on assumptions about what attackers can do, how fast they can do it, and at what scale.

Every production AI model has boundaries: input domains where it performs well, edge cases where it fails, and security properties that constrain how...

AI agents with write access to production systems can execute 100+ infrastructure changes per minute.

The gap between vulnerability disclosure and weaponised exploit used to be measured in weeks.

Membership inference attacks determine whether a specific data record was used to train a model.

AI agents execute tool calls on real infrastructure: writing files, running shell commands, making HTTP requests, modifying databases.

Traditional security scanners operate on pattern matching. They check for known CVEs in dependency trees, match regex patterns for hardcoded secrets,...

Manual security review of infrastructure-as-code takes 2-4 hours per pull request for complex changes.

AI agents need credentials to do useful work: database passwords, API keys, Kubernetes service account tokens, cloud IAM roles.

Traditional incident response assumes failures are binary: the service is up or it is down, the response is correct or it throws an error.

When a security alert fires at 2 AM, the on-call engineer faces an information overload problem.

The default Prometheus Operator RBAC grants Prometheus cluster-wide read access to Secrets; a compromised Prometheus instance or a crafted ServiceMonitor can exfiltrate every secret in the cluster through legitimate monitoring scrape operations — scope operator permissions to the minimum required.

CISA's Known Exploited Vulnerabilities catalog is updated when CVEs are confirmed to be actively exploited; ingesting KEV additions as real-time SIEM events and cross-referencing them against your asset inventory generates immediate escalation for the CVEs that matter most.

NGINX CVEs leave patterns in access logs, error logs, and system call behaviour; Suricata network signatures and Falco runtime rules detect active exploitation of mp4 module heap overflows, QUIC module crashes, and ingress annotation injection before the attacker pivots.

Attackers with access to metric write endpoints can inject high-cardinality label values to exhaust Prometheus memory and cause OOM kills; enforce cardinality limits, authenticate remote-write endpoints, and alert on metric explosion before it takes down your monitoring stack.

LLMs triaging security alert queues can suppress genuine incidents via hallucination or adversarial alert content; build safe triage with hard escalation overrides, adversarial-input guards, confidence thresholds, and mandatory human review for high-severity classifications.

eBPF-based network flow visibility tools — Cilium Hubble, Microsoft Retina, and custom XDP programs — expose Kubernetes lateral movement, data exfiltration, and policy bypass in real time; configure flow-level alerting and long-term retention for threat hunting.

LLMs accelerate analyst investigation by translating natural-language hypotheses into detection queries, summarising alert context, and surfacing lateral movement patterns across high-volume log data; integrate them safely without introducing hallucination-driven false negatives.

Attackers with compromised IAM credentials routinely disable CloudTrail, delete log groups, or modify log export destinations before conducting lateral movement; implement immutable WORM log archival, cross-account monitoring, and real-time tampering alerts.

PamDOORa and Quasar Linux RAT — post-exploitation toolkits active in May 2026 — harvest credentials from developer configuration files: .npmrc (npm tokens), .pypirc (PyPI passwords), .git-credentials (Git tokens), ~/.aws/credentials, ~/.config/gcloud, and ~/.kube/config. This article covers eBPF-based monitoring of these file access patterns with Tetragon and Falco, alerting on anomalous reads, and hardening developer environments against credential harvesting.

eBPF rootkits can hook kernel functions to hide processes, filter telemetry before it reaches Falco or Tetragon, and evade EDR; detect them via BPF map inspection, kernel integrity cross-checks, and observability-layer redundancy.

BOLA attacks look like normal authenticated requests — the only signal is that one user is accessing many different object IDs in sequence. Enumeration attacks look like elevated 404 rates from a single source. Mass assignment looks like a PATCH request with unexpected fields. Structured access logs with object ID tracking, status code distributions, and request body field analysis reveal all three without application-level instrumentation.

Knowing that Copa patched an image once is not the same as knowing every production container is currently below the critical CVE threshold. Patch compliance observability requires continuous tracking of image vulnerability age, patch run outcomes, SLA breach detection, and Grafana dashboards that give security teams a real-time view of fleet exposure. This article covers the metrics, exporters, and alerting architecture for container patch compliance at scale.

ContainerSSH records every SSH session as a structured audit log — keystrokes, commands, and output — and can export session recordings to S3 in asciicast format for forensic replay. This article covers ContainerSSH's audit logging pipeline, shipping session recordings to a SIEM, writing detection rules for anomalous session behaviour, and using session recordings for incident response.

Copy-on-write exploits — dirty pipe, dirty COW, overlayfs copy-up races — share a common behavioural signature: a process writes to a page-cache page it should only be able to read, or gains file capabilities it should not have. eBPF tracing programs can detect these patterns at the syscall and VFS layer before privilege escalation completes. This article covers Tetragon and Falco policies for detecting CoW exploitation attempts in real time.

Kubernetes evidence is ephemeral by design — pods are deleted, logs are overwritten, containers are rebuilt. A forensic investigation needs to know: what survives pod deletion, where the Kubernetes API server audit log is stored, what etcd snapshots contain, and how to reconstruct the timeline of an attack from node filesystem artifacts, API server events, and container runtime logs.

The OTel Collector receives telemetry from every service in the cluster — an attacker who controls the collector controls all observability data. Log injection via crafted spans, metric manipulation to hide malicious activity, and configuration injection via the pprof/health endpoints are real attack vectors. This article hardens the collector's receivers, processors, exporters, and management endpoints.

Vault and AWS Secrets Manager both produce structured audit logs. Normal secret access follows predictable patterns: specific applications read specific secrets at predictable intervals. Anomalies — bulk reads, access from unexpected IPs, secrets read but application not restarted, rotation events without matching deployment events — reveal compromise or misconfiguration before credentials are used externally.

Standard bot detection — mouse movement, typing cadence, session replay heuristics — fails against LLM-driven agents that generate statistically humanlike behaviour. Seven detection signals derived from server-side observability survive AI mimicry: API call graph topology, resource fetch completeness, semantic request coherence, timing variance under load, DNS pre-resolution patterns, WebSocket heartbeat regularity, and server-push utilisation.

LLMs can generate statistically plausible log entries that match the style, timing, and content of a real application's log stream. An attacker with post-compromise write access to logs can backfill plausible cover-traffic, forge authentication events, or erase evidence by substituting fabricated entries. SIEM pipelines that trust log content need cryptographic integrity proofs.

An LLM can write a Prometheus exporter, a Fluent Bit parser, or an OpenTelemetry instrumentation library in minutes. The result works today. In 18 months it is unmaintained, incompatible with current Prometheus scraping changes, not integrated with the OpenTelemetry semantic conventions update, and has no vendor interoperability. The value of open source observability is the ecosystem contract, not the code.

CVE-2021-3490 (ALU32 bounds bypass) and CVE-2022-23222 (pointer arithmetic escape) both allowed unprivileged eBPF programs to achieve kernel write primitives. Observability tools like Falco, Tetragon, and Pixie that load eBPF programs into the kernel expand the attack surface — a compromised tool or malicious pod with BPF privileges can escalate to host root.

Hardening browser-side RUM and session-replay pipelines: PII scrubbing, supply-chain integrity, sampling controls, and detection for hostile telemetry.

Nation-state adversaries are actively recording encrypted traffic today for future quantum decryption. HNDL attacks are detectable through anomalous network tap placement, bulk TLS session recording patterns, and unusual data volume exfiltration. This guide covers HNDL threat indicators, network monitoring for bulk collection behaviour, and using PQC adoption as a detection tripwire.

When an AI agent reads a sensitive file, executes a database query, or calls an external API via MCP, that action is invisible to traditional audit systems — it appears as normal process I/O, not as a distinct auditable event. Structured MCP tool call logging, parameter capture, and result hashing give incident responders the trail they need to reconstruct what an agent did and why.

Observability tools store security-sensitive data — logs containing credentials, metrics revealing system behaviour, traces with PII. Vulnerabilities in Prometheus, Grafana, Elasticsearch, and Loki can expose this data or provide a pivot into the infrastructure they monitor. This guide covers the security disclosure processes for major observability projects, how to report vulnerabilities, and how to respond as a consumer.

OTel Profiles is the fourth signal alongside traces, metrics, and logs — stable as of 2025 and now flowing through the OTel Collector by default. Stack frames carry function names, file paths, and sometimes full SQL or cleartext URLs. Hardening guide for collector pipelines and storage.

The Linux perf_event_open() syscall — used by perf, pprof, py-spy, async-profiler, and Datadog APM — has produced a stream of local privilege escalation CVEs. CVE-2023-2235 (use-after-free in perf_group_detach) required only perf_event_paranoid <= 1 to achieve kernel code execution. The tradeoff between profiling capability and kernel attack surface is controlled by a single sysctl.

SAST tools report thousands of findings — but most are in code paths that are never executed in production. Correlating static findings with runtime traces, error rates, and WAF telemetry identifies which vulnerabilities are in hot code paths, which are reachable from the internet, and which can be de-prioritised. This guide builds a SAST-to-runtime correlation pipeline using OpenTelemetry, distributed tracing, and SARIF metadata.

AI inference endpoints are APIs with unusually high blast-radius inputs: a single prompt can exfiltrate training data, bypass all downstream application logic, or drain budget at scale. This article builds a security observability layer specifically for LLM inference — logging the right signals, detecting prompt injection and jailbreaks, identifying model extraction attempts, and applying OpenTelemetry GenAI semantic conventions without creating a PII logging catastrophe.

Alertmanager webhook receivers can be weaponised for SSRF if an attacker modifies the configuration. Harden the admin API with authentication, restrict receiver URLs to an allowlist, and protect the alert pipeline from pre-attack blind spot creation.

API gateways aggregate traffic statistics, but security threats live in per-caller behaviour over time: brute-force patterns across auth failures, scanning behaviour in parameter variation, data dump signatures in response sizes. This article builds a security observability layer on top of API traffic using OpenTelemetry, Prometheus, and Elasticsearch to surface what gateway dashboards hide.

Cost spikes are often the earliest observable indicator of a cloud compromise. Learn how to configure AWS, GCP, and Azure cost anomaly detection, correlate billing signals with security events, and automate quarantine responses.

Malware lives in memory only, credentials sit decrypted in heap, C2 implants leave no files on disk. This guide covers capturing and analysing container process memory without losing evidence — using /proc, gcore, CRIU checkpoints, and Volatility 3.

Understand the kernel attack surface, privilege model, and data sensitivity risks of eBPF-based continuous profiling with Parca and Grafana Pyroscope, and harden deployments against each threat.

Attackers steal credentials before they steal data. This article shows how to instrument auditd, Falco, Kubernetes audit logs, and CloudTrail to detect OS credential dumping, brute force, credential stuffing, and cloud IAM abuse before they lead to a breach.

Attackers who reach your data will use HTTP/S, DNS tunnelling, ICMP, cloud storage, and email to move it out. This article builds a layered detection stack: volumetric alerts on VPC flow logs, covert channel detection via Zeek and Elasticsearch, Falco rules for staging behaviour, cloud DLP integration, and a high-confidence correlation rule that combines internal staging with external transfer.

Application logs tell you what the API did. Database audit logs tell you what actually happened to the data. Learn how to configure pgaudit, MySQL audit plugins, MongoDB auditing, and Redis monitoring to detect SQL injection, privilege escalation, and exfiltration at the data layer.

The Datadog Agent runs with broad system access by default — reading all container logs, hooking the kernel for APM, and transmitting data to Datadog's intake. Hardening covers Agent privilege reduction, API and app key management, RBAC scoping, sensitive data scrubbing, network configuration, and Datadog's own CSPM and audit trail features.

LLMs escaping containers show distinct patterns: systematic /proc enumeration, rapid sequential exploit attempts, and methodical attack chain progression. Build Falco rules and eBPF detection tuned for AI attack signatures rather than just human-paced intrusion patterns.

Falco is the de facto standard for Linux runtime security monitoring. This guide covers its syscall-based detection model, writing custom rules for privilege escalation, container escapes, and credential access, tuning rules to eliminate false positives, securing falco.yaml, routing alerts through Falcosidekick, and automating response with Falco Talon.

Deploy a layered file integrity monitoring strategy using AIDE for baseline integrity checks and Falco for real-time detection. Covers AIDE configuration, database initialization, scheduled checks, SIEM integration, Falco fanotify rules for /etc/ and /usr/bin/ writes, combining both tools, Wazuh syscheck as a managed alternative, and handling legitimate change windows.

Fluent Bit runs as a privileged DaemonSet that reads every pod log on every node. A misconfigured Fluent Bit deployment leaks PII, ships logs to the wrong destination, and provides an exfiltration vector. Harden RBAC, mTLS output, PII scrubbing, and routing controls before attackers reach your log pipeline.

Kubernetes events surface OOMKilled pods, image pull failures, CrashLoopBackOff cycles, and node pressure before an attacker's activity reaches audit logs — here's how to collect, ship, and alert on them.

Regulatory frameworks disagree on how long logs must be kept, but they all agree logs must be tamper-evident and access-controlled. This guide covers tiered retention design, WORM archival with S3 Object Lock, Elasticsearch ILM, GDPR right-to-erasure tensions, and cost-optimised cold storage for PCI DSS, SOC 2, HIPAA, and GDPR compliance.

When mTLS is misconfigured, traffic silently falls back to plaintext or fails — with no visible error unless you have the right metrics. This guide covers the key signals to track: handshake failure rates, certificate expiry, plaintext traffic detection, Istio and Linkerd mTLS coverage metrics, and SPIFFE SVID rotation health.

Payment fraud detection requires sub-second decisions combining transaction velocity, device fingerprinting, geolocation consistency, and behavioral baselines. This guide covers building a layered fraud detection system with rule-based velocity checks, ML-based anomaly scoring, and streaming analytics — applicable to card payments, ACH transfers, and Open Banking transactions.

Individual process events look normal in isolation. Process lineage exposes the attack: nginx spawning bash spawning curl is a web shell, not routine activity. This article covers eBPF-based parent tracking, Falco rules, osquery lineage queries, Elasticsearch aggregations, and specific detection patterns for web shells, reverse shells, credential dumping, and container escapes.

RASP instruments the application runtime itself — JVM agents, Python function hooks, Go middleware — giving it full execution context to detect and block SQL injection, command injection, and path traversal at the exact point they occur, not at the network perimeter. This article covers how RASP works, open-source and commercial options, implementing lightweight Python and Java RASP, performance trade-offs, and how RASP fits as a defence-in-depth layer alongside input validation and WAFs.

Single-event SIGMA rules miss multi-stage attacks where every individual event looks benign. EQL sequence detection, graph-based entity correlation, and temporal pattern analysis close this gap — turning scattered low-confidence signals into high-confidence attack-chain alerts.

Apply SRE error-budget discipline to security posture: define SLIs for mTLS coverage, vulnerability scan pass rates, secret rotation, patch SLA, and MTTD. Set realistic SLOs, implement multi-window burn-rate alerts in Prometheus, and use budget depletion to trigger security sprints.

Serverless and FaaS workloads present unique security observability challenges: no persistent agents, ephemeral execution environments, and platform-managed runtimes with limited introspection. This article covers structured security logging, abuse detection, layer integrity, secret management, VPC controls, and exfiltration detection for AWS Lambda, GCP Cloud Functions, and Azure Functions.

Splunk ingests every security log in your environment — compromising it gives an attacker a complete map of your defenses and an erasure tool for the audit trail. This guide covers SAML/LDAP authentication, role-based access control, TLS hardening for forwarder-to-indexer traffic, audit logging, and protecting the splunk.secret file.

Prometheus Blackbox Exporter probes external endpoints continuously — making it a powerful early-warning system for TLS certificate expiry, TLS downgrade attacks, content tampering, DNS hijacking, and missing security headers, weeks before users are affected.

Distributed traces are a security liability by default — they accumulate request parameters, user IDs, internal service URLs, and raw SQL across every hop of every request. This guide hardens the full tracing stack: PII scrubbing before storage, Tempo authentication and multi-tenancy, S3 backend encryption, Jaeger access control, OTLP endpoint authentication, and the right-to-erasure problem in append-only trace storage.

Single Prometheus instances per cluster give every tenant shared access to every metric with no isolation, no long-term retention controls, and no cross-cluster query security. Thanos solves the scaling problem but introduces its own attack surface: exposed gRPC endpoints, cross-tenant query leakage, object storage misconfigurations, and PII in time-series labels. This guide hardens every Thanos component.

Signature-based detection misses insider threats and compromised credentials entirely. UBA builds behavioral baselines per user and entity, then surfaces deviations — off-hours access, bulk downloads, impossible travel — as risk scores that trigger investigation before damage is done.

VictoriaMetrics is a high-performance Prometheus-compatible TSDB with no built-in authentication. Without vmauth, anyone who reaches any component endpoint reads or writes all metrics. This guide hardens every layer: vmauth proxy authentication, per-component TLS, vmgateway JWT tenant isolation, vmagent credential management, deleteRange API access control, and backup encryption.

CVE-2026-27880 lets Grafana Viewers bypass datasource access controls with a double slash in the API path. Patch to fixed versions, enforce datasource permissions, and understand the HTTP path normalisation class of auth bypass vulnerabilities.

OpAMP lets a central server push arbitrary pipeline configs to OTel Collectors. An attacker with OpAMP server access can redirect all telemetry to their endpoint or disable security alert pipelines. Harden the OpAMP trust boundary with mTLS, config signing, and change alerting.

After the Axios compromise, organisations needed to know if 1.14.1 was running in production. SBOMs attached to container images as OCI attestations make this a seconds-long query. Build a continuous SBOM monitor that alerts when IOC packages appear in deployed workloads.

CVE-2026-27876 chains a SQL expressions file-write with Grafana's enterprise plugin loader to achieve RCE from Viewer access. Understand the delayed-disclosure pattern and how to harden plugin trust, feature toggles, and filesystem permissions.

The Axios RAT executed, phoned home, and erased its traces within seconds of npm install. Build runtime detection across process tree monitoring, network telemetry, and file system events — and a Sigma rule for the Axios IOC pattern.

CISA's OT Zero Trust guidance covers pre-crisis decision matrices and MITRE ATT&CK for ICS playbooks. Learn what to preserve from PLCs and HMIs before power cycling, how to structure OT IR playbooks, and how to build forensic readiness into air-gapped OT networks.

CISA's OT Zero Trust guidance recommends Malcolm for OT network traffic analysis. Deploy Zeek-based passive monitoring with Modbus and DNP3 parsers, build behavioral baselines, and implement specification-based detection for process variable anomalies.

Harden OpenTelemetry language SDKs against CVE-2026-40182 unbounded memory DoS in the OTLP exporter and CVE-2026-40891 gRPC trailer parsing DoS—and track silent fixes in fast-moving SDK releases.

Harden Wazuh against CVE-2026-30893 cluster path traversal RCE (CVSS 9.0) and CVE-2026-25769 deserialization RCE, with monitoring for Wazuh's coordinated disclosure patterns.

Harden Grafana Beyla deployments by scoping eBPF privileges, restricting process visibility, preventing telemetry data leakage, and controlling network-level instrumentation scope.

Harden Grafana deployments against CVE-2026-27876-class RCE via SQL expressions and Enterprise plugins by controlling feature toggles, plugin permissions, and monitoring silent Grafana security releases.

Harden Graylog log management against CVE-2026-1435 session fixation (CVSS 9.1), CVE-2026-1436 IDOR, and the 7-CVE April-May 2026 batch—with Graylog's advisory monitoring patterns.

Configure OpenTelemetry Collector tail-based sampling to guarantee retention of security-relevant spans while controlling volume, and track OTel Collector CVEs from public PRs.

Harden Prometheus against CVE-2026-42151 OAuth credential exposure via /-/config, CVE-2026-42154 stored XSS, and the recurring pattern of security fixes shipped in routine Prometheus releases.

Harden Vector log collection pipelines against Lua transform code execution, source input injection, credential exposure, and silent security fixes in Vector's Datadog-driven release process.

Alertmanager routes security alerts to PagerDuty, Slack, and email. Exposed receiver credentials, unauthenticated silence APIs, and overly broad inhibition rules can suppress legitimate security alerts — exactly what an attacker wants. Hardening Alertmanager protects the alerting pipeline itself.

Protect sensitive call-stack and memory data collected by eBPF-based continuous profilers (Parca, Pyroscope) with access control, PII scrubbing, and retention limits.

Distributed traces capture the full execution path of a request across services — including HTTP headers, query parameters, and error payloads that may contain PII, authentication tokens, or internal system details. Securing the tracing pipeline requires data scrubbing at collection, access controls on trace storage, and sampling policies that limit exposure.

Elasticsearch clusters exposed without authentication have been the source of hundreds of data breaches. Enabling TLS between nodes and clients, configuring role-based access control, and enabling audit logging closes the most common attack vectors against ELK and EFK stacks.

Grafana dashboards expose infrastructure metrics, logs, and traces — often including sensitive operational data. Hardening authentication, restricting data source access by team, disabling anonymous access, and auditing snapshot sharing prevents data exposure.

Loki aggregates logs from all services. Without authentication, anyone who reaches the Loki endpoint reads all logs. Multi-tenancy requires strict tenant isolation, rate limiting per tenant, and append-only storage to prevent log tampering.

Application logs are the primary source of authentication, authorisation, and API activity signals. Most applications log too little for security, or too much PII. Structured security events fix both.

Cloud audit logs are your primary evidence source for privilege escalation, data exfiltration, and lateral movement at the cloud control plane. They require active hardening to be tamper-proof and queryable.

Flow records capture who talked to whom, when, and how much — without packet payload. They detect C2 beaconing, lateral movement, data exfiltration, and port scanning that signature-based tools miss.

If you haven't tested that your detection rules fire and alerts route correctly, you don't know if they work. Security chaos engineering injects controlled attacks to validate the detection stack before a real attacker does.

Per-rule grouping and fingerprint-based dedup get you from 10,000 alerts/day to 200. Correlation across signals is the next jump — to 30 actionable incidents.

What you don't capture, you can't investigate. Forensic readiness is the discipline of designing the logging layer so post-incident you have what you need.

Deception detects attackers who evade signature-based controls by placing fake credentials, canary tokens, and honeypot services that trigger high-confidence alerts on access.

Treat security as a service: define SLIs (detection coverage, MTTD), set SLOs, track burn rate. The same discipline that makes reliability measurable makes security measurable.

Osquery turns your fleet into a queryable database. Scheduled queries surface persistence mechanisms, lateral movement artefacts, and IOCs across thousands of hosts simultaneously.

If you cannot measure your detection program, you cannot improve it. The metrics that matter, how to compute them, and what they trigger when they shift.

OTel traces capture authorization headers, URL params, internal IDs, and database query strings by default. Without redaction, your traces are an exfiltration target.

SIEM bills double yearly because nobody owns the spend. Cardinality control, retention tiering, and sampling reduce cost 40-70% without losing detection.

Detection logic scattered across SIEM consoles and shell scripts does not scale. Sigma rules in Git, tested in CI, converted to any backend on deploy, do.

Most security dashboards are vanity metrics, total alerts this month, pie charts of vulnerability severity, traffic heatmaps that look impressive but.

Distributed tracing is standard for performance debugging, but almost no team uses it for security.

An OTel Collector pipeline with default settings forwards every attribute, header, and trace to your backend with no filtering or authentication.

East-west traffic inside a Kubernetes cluster is a blind spot for most security teams.

Prometheus is deployed in most Kubernetes environments for infrastructure monitoring (CPU, memory, disk, request latency.

Falco monitors syscalls for runtime detection. Tetragon (CNCF/Cilium) goes deeper: it monitors process execution, network connections, and file...

An attacker's first post-compromise action is covering their tracks. On a Linux host, this means deleting /var/log/audit/audit.log, clearing journal..

Container escapes are the highest-impact attack in Kubernetes. A single compromised pod that escapes its container gains access to the underlying...

Kubernetes audit logging at the RequestResponse level captures everything: every API call, every request body, every response payload.

Cryptojacking is the most common post-compromise activity in Kubernetes environments.

Security detection that generates 50+ false positives per day is worse than no detection, it trains the team to ignore alerts.

Certificate expiry is the most common cause of preventable production outages. When a TLS certificate expires, HTTPS connections fail, mTLS...

Detection without documented response is security theatre. Most teams have alerts that fire at 3 AM, but no written procedure for what the on-call...

Self-managed log infrastructure is one of the highest operational costs for small-to-medium teams.

Linux audit logs are the ground truth for security investigation. auditd captures kernel-level events that no userspace tool can see: file access by...

Asyncify (Emscripten's coroutine transformation for Wasm) restructures binary layout, enlarges stack frames, and adds unwind/rewind control flow paths; the transformation changes the attack surface of a Wasm module in ways that standard security analysis of the pre-transformed source does not capture.

Wasmtime, WasmEdge, wasmer, wazero, and V8's Wasm engine each have their own CVE histories; as the CVE surge affects runtime dependencies, organisations embedding Wasm runtimes must track runtime-specific advisories, pin runtime versions with digest verification, and automate update triggers when runtime CVEs are published.

NJS (NGINX JavaScript) runs as a privileged extension of the NGINX worker process with full access to request context and no sandbox boundary; compare the security model of NJS scripting against Wasm filter isolation for untrusted or complex routing logic.

The shared-everything threads proposal extends Wasm shared memory to GC objects, breaking the per-thread memory isolation that existing sandboxes rely on; new handle-based access control and synchronisation audit requirements for runtimes enabling this feature.

Wasm's deterministic execution and module signing produce verifiable audit records that prove a specific model inference function executed on specific inputs; build tamper-evident AI decision logs for regulated use cases using Wasm execution attestation.

Wasmtime's epoch interruption system allows hosts to safely terminate long-running or malicious Wasm modules without undefined behaviour; configure per-module deadlines, cooperative yield points, and production timeout policy to prevent resource exhaustion and enable DoS-resistant plugin execution.

WebAssembly provides capability-controlled sandboxing for LLM agent tool plugins, preventing tool calls from escaping their permission boundary; compare Wasm-based isolation with process-based alternatives and implement a secure plugin host using Extism or Wasmtime.

The Wasm multi-memory proposal enables multiple separate linear memories within a single module; use dedicated memories for cryptographic keys and PII to limit blast radius on buffer overflows and prevent cross-memory pointer leakage.

CVE-2026-3910 (V8 inappropriate implementation in WebAssembly) and CVE-2026-2796 (JIT miscompilation in the JavaScript/WebAssembly component) are the latest in a series of browser WASM sandbox escapes. Server-side WASM runtimes — Wasmtime, WasmEdge, wazero — face structurally similar JIT and type-confusion risks. This article analyses what browser WASM exploits reveal about the trust model for server-side WASM, and what production operators should do differently.

The Wasm coredump spec dumps full linear memory on trap, exposing secrets, PII, and cryptographic material; disable coredumps in production runtimes, scope them to non-sensitive workloads, and implement post-process scrubbing pipelines where debugging requires coredump access.

ContainerSSH's authentication and config webhook is a critical-path HTTP service — every SSH connection waits for it. Running this webhook as a WebAssembly function on Cloudflare Workers or Fastly Compute moves authentication to the network edge, reducing latency, eliminating a central server bottleneck, and sandboxing the policy logic in a WASM runtime. This article covers the ContainerSSH webhook contract, implementing it as a WASM edge function with OIDC token validation, and the security model of edge-deployed auth.

Copa's scanner plugin interface accepts vulnerability reports via stdin as JSON, making it possible to write custom scanner adapters that feed non-Trivy data sources into Copa's patching engine. Compiling these adapters as WebAssembly components enables sandboxed, portable plugin execution — the plugin cannot access the host filesystem or network beyond what Copa explicitly grants. This article covers the Copa plugin JSON contract, building a WASM scanner adapter, and the security model for sandboxed Copa plugins.

Envoy's WASM filter SDK allows running API security logic — rate limiting, input validation, JWT inspection, schema enforcement — as WebAssembly modules in the proxy sidecar. WASM isolation means a bug in the security filter cannot corrupt Envoy's memory or affect other filters. This article implements rate limiting and input validation filters in Rust, covers the CVE patterns specific to WASM Envoy filters, and explains the capability model that limits filter blast radius.

The WebAssembly Component Model introduces a new package unit — the .wasm component — with its own registry (warg), composition model, and security surface. This article covers signing WASM components with cosign, attaching SLSA provenance to WASM artifacts, verifying component identity at runtime, and hardening warg registry deployments against dependency confusion and typosquatting.

WASM modules deployed at the edge (Fermyon Spin, Fastly Compute, Cloudflare Workers) need secret access without bundling credentials into the WASM binary. WASI keyvalue provides a standardised secret access interface that the runtime implements — the WASM module never holds the raw secret, only requests it via capability. This article implements secret access patterns for each major WASM edge platform and explains why WASM's capability model prevents accidental secret leakage.

Deploying authorization logic as WASM filters in Envoy and at CDN edge (Cloudflare Workers, Fastly Compute) moves enforcement to the request path without a round-trip to a central PDP. This article covers implementing JWT validation, SPIFFE SVID verification, and OPA policy evaluation as Envoy WASM filters; edge-native OIDC token inspection; and the security tradeoffs of distributed vs centralized enforcement.

A Wasmtime JIT bug that escapes the WASM sandbox doesn't give the attacker root on the cluster — it gives them code execution within the Wasmtime process, which runs inside a Kubernetes pod with a service account token, mounted secrets, and network access. The post-escape pivot paths are identical to any other compromised pod: service account token abuse, lateral movement via network, and secrets harvesting. WASM-in-Kubernetes needs all standard pod hardening.

WebAssembly's memory.copy, memory.fill, and bulk memory operations are bounds-checked by the runtime, but host-to-WASM buffer exchange, shared memory with threads, and guest-controlled copy lengths can still produce out-of-bounds access, Spectre-style cross-module leakage, and host memory corruption if the host-side copy API is not carefully implemented. This article covers the WASM memory model, bulk memory instruction safety, shared memory threading risks, and safe host-guest buffer transfer patterns.

As WASM adoption grows, so does the need for secure WASM module distribution — with the same supply chain controls applied to container images: signing, attestation, vulnerability scanning, and access control. This article covers the warg (WebAssembly Registry) protocol security model, using OCI registries to distribute WASM modules, scanning WASM binaries with cargo-vet and custom tooling, and enforcing signed WASM before execution in Wasmtime and Spin.

Platform engineering tools increasingly use WASM as an extension mechanism — Backstage plugins, kubectl plugins, Helm plugins, and CI/CD systems can all run WASM. The WASM sandbox provides isolation, but the host API surface, WASI capabilities granted, and plugin supply chain remain attack vectors. This article covers the WASM extension security model, capability restriction using WASI component interfaces, plugin signing, and sandboxing third-party platform plugins.

WASM applications making HTTPS calls are protected by the TLS of the underlying runtime — which may or may not support post-quantum key exchange. Applications that implement their own TLS (via rustls, ring, or WebCrypto) control their own PQC readiness. This article implements ML-KEM (FIPS 203) + X25519 hybrid key exchange in WASM using the ml-kem crate, explains the WebCrypto API limitations for PQC, and covers the Fermyon Spin and Cloudflare Workers network client patterns.

WASM serverless functions running on Cloudflare Workers, Fastly Compute, and Fermyon Spin need access to cloud resources — but storing static credentials in WASM binaries or environment variables is dangerous. This article covers OIDC-based cloud access from WASM serverless environments, service binding patterns, Cloudflare Workers Service Bindings for R2/KV/D1, and the security model for WASM functions accessing cloud IAM.

The WebAssembly specification is formally defined, but the specification is not the security boundary — the runtime implementation is. Wasmtime has formal verification efforts, a Bytecode Alliance security disclosure process, and a CVE history that shows what correct runtime security looks like. An AI-generated WASM interpreter built in a weekend has none of these properties. For WASM, security is implementation correctness all the way down.

WASI Preview 2 replaces POSIX-style ambient filesystem and network access with explicit capability grants per component. A WASM component that isn't granted a filesystem capability cannot access files — not because the OS denies it, but because the syscall doesn't exist in its interface. This article analyzes what WASI P2 actually prevents, what it doesn't, and where kernel-level controls remain essential.

Cloudflare Turnstile, DataDome, Akamai BotManager, and PerimeterX ship obfuscated WebAssembly modules to browsers as bot detection challenges. The WASM module collects browser fingerprints, runs integrity checks, and generates a token. Reverse engineers have fully documented how to extract and replay these tokens. The real protection isn't the WASM obfuscation — it's the server-side token validation and the signals the WASM module can only collect from a real browser environment.

WebCrypto doesn't support ML-KEM — but WASM compiled from liboqs fills the gap for browser applications needing post-quantum key exchange today. This guide implements hybrid X25519+ML-KEM-768 key encapsulation in a browser application using WASM, integrates with WebCrypto for AES-GCM encryption, and covers key material handling to prevent leakage from WASM linear memory.

WebAssembly runtimes promise isolation without sharing a kernel — each module runs in a sandboxed linear memory region enforced by the runtime, not the OS. CVE-2023-26114 (Wasmtime heap escape) showed what happens when the runtime itself has a bug. And when WASM runs inside a container, it inherits all the shared-kernel risks it was supposed to avoid.

Transformers.js, MLC-LLM (WASM backend), and ONNX Runtime Web deploy model weights to the browser or edge device where they are accessible to the runtime environment. Model extraction attacks — query-based extraction, weight file download, and WASM memory dump — can steal the full model with commercial value in the billions. WASM's linear memory model makes this easier than stealing server-side model weights.

A vulnerability in a WASM runtime directly undermines the sandbox guarantees your application relies on. Wasmtime sandbox escapes, V8 JIT compiler vulnerabilities, and WasmEdge memory safety bugs have all appeared as CVEs. This guide covers how each WASM runtime handles security disclosures, how to track runtime CVEs, and the emergency response process when a critical sandbox-escape vulnerability is published.

Running MCP tool implementations as WebAssembly modules via Extism or Fermyon Spin isolates each tool in its own sandbox with explicit capability grants. A compromised or buggy tool implementation cannot read the host filesystem, call unintended APIs, or affect other tools — it can only use the capabilities its WASM module was explicitly granted. This trades some performance for a dramatically reduced blast radius per tool.

WASM security scanning requires a two-layer approach: static analysis of the source language (Rust Clippy security lints, cargo-audit, semgrep) catches vulnerabilities before compilation, and binary-level analysis of the compiled WASM module (wasm-objdump, wasm-decompile, twiggy) verifies the output has expected properties. This guide builds a complete WASM security scanning pipeline for Rust and C compiled to WASM.

Spectre-class transient-execution attacks remain reachable from Wasm guests on shared hosts. Wasmtime, V8 Liftoff, and SpiderMonkey have all shipped concrete mitigations — masked indexed loads, fuel-based timing limits, separated heaps. This is what they actually do, when they help, and how to configure them in production.

Security model and hardening for Wasmtime's Pulley portable interpreter on platforms without Cranelift JIT: bytecode validation, resource limits, attack surface vs JIT.

Running WebAssembly at the CDN edge compresses your threat surface — no OS, no persistent disk, ephemeral instances — but the security model has sharp edges: Durable Object state leakage, secret management mistakes, supply chain exposure in npm dependencies, and observability gaps that blind you to edge-side attacks.

SaaS platforms, plugin systems, and data pipelines that let users upload WASM modules need more than the default sandbox. This guide covers pre-execution validation, strict import allowlisting, per-tenant resource isolation, output validation, and multi-layer defence for user-provided WASM execution.

WASI Preview 2 stabilised the Component Model and capability-based I/O. WASIp3 introduces async/await with capability-safe concurrency. This guide covers the security implications of each WASI generation, upcoming proposals (wasi-crypto, wasi-nn, wasi-keyvalue), and how WASI's capability model evolves toward zero-ambient-authority WASM systems.

Gateway WASM plugins process all traffic flowing through the gateway — request headers, auth tokens, and bodies. This guide covers supply chain security for gateway plugins, capability restrictions, sandboxed execution with resource limits, per-tenant plugin isolation, and audit logging for plugin-based security decisions.

Security engineers use wasm-decompile, Ghidra, and Binary Ninja to audit WASM modules for hardcoded credentials, unsafe imports, and vulnerable patterns. This guide covers WASM analysis tooling for defenders, supply chain binary diffing, and realistic IP-protection options for proprietary WASM code.

Traditional POSIX I/O grants processes ambient authority over any path they have filesystem permission to access. cap-std eliminates that by replacing ambient functions with capability objects — every file operation is relative to a pre-opened Dir handle, making path traversal structurally impossible and WASM plugin sandboxing composable without root.

Running financial calculations in JavaScript exposes them to prototype pollution, DOM-based XSS exfiltration, and supply chain attacks via npm. WASM provides a memory-isolated execution environment for interest rate models, risk calculations, and KYC scoring that JavaScript's shared heap cannot. This guide covers implementing financial calculation sandboxes in WASM, preventing data exfiltration, and integrating with banking applications.

The WASM Component Model enables building applications from composed components — but capability flow between components, confused deputy attacks, and supply chain risks in composed graphs require explicit security design. This guide covers WIT interface auditing, transitive capability control, and secure composition with wasm-compose.

WASM doesn't guarantee constant-time execution — JIT optimisations can introduce timing variations that break cryptographic security. This guide covers evaluating WASM crypto libraries for timing safety, using WASI Crypto for hardware-accelerated operations, key zeroisation in linear memory, and RNG security.

Untrusted WASM modules can block a host thread forever with a single infinite loop. Fuel metering and epoch interruption give you hard, auditable CPU budgets — per call, per tenant, and per billing cycle.

Coverage-guided fuzzing finds both runtime vulnerabilities in Wasmtime/V8 and application bugs in WASM modules. This guide covers wasm-smith for structured WASM generation, cargo-fuzz for Rust WASM modules, differential fuzzing across runtimes, and building a continuous fuzzing pipeline.

Host functions are the attack surface between the WASM sandbox and the host system. A poorly designed host API gives untrusted WASM code a path to host-level capabilities. This guide covers minimal host API design, input validation in host functions, preventing TOCTOU across the boundary, and auditing host function exposure.

Shipping WASM modules instead of full firmware images reduces OTA update risk — the WASM sandbox contains execution, memory-safe Rust prevents memory corruption bugs, and modules can be signed and verified before loading. This guide covers secure OTA distribution, runtime verification, rollback mechanisms, and resource constraints for WASM on embedded targets.

AI tools discover C/C++ memory corruption bugs at scale — the classes of vulnerabilities that dominate container escape CVEs. WASM's memory safety model eliminates these classes by design. Understand where WASM isolation is strictly stronger than containers, where it is weaker, and how to combine both.

Understand how JIT spraying and speculative execution attacks target WASM runtimes, and harden Wasmtime, V8, and SpiderMonkey against Spectre, JIT code injection, and side-channel leakage.

WASM sidecars in Kubernetes offer smaller attack surface than language-runtime sidecars — no shell, no package manager, no OS CVEs beyond the runtime itself. This guide covers WASM-based admission webhooks, policy sidecars, traffic inspection with wasm-filter, and security properties compared to traditional sidecar proxies.

Wasmtime's AOT precompilation and module caching dramatically reduce cold-start latency — but cached native code is a high-value attack target. This guide covers securing the Wasmtime cache directory, binding cached artefacts to source module hashes, detecting cache poisoning, and safe precompilation pipelines.

Loading an untrusted .wasm binary without explicit validation gates hands an attacker a structured sandbox escape surface. This article covers pre-load integrity checks, Wasmtime's multi-layer validator, import allowlisting, export surface auditing, and supply-chain verification before instantiation.

OCI-based WASM signing works for container registries, but many WASM use cases distribute modules via HTTP, npm, or direct file transfer. This guide covers COSE (CBOR Object Signing) for WASM, signing WASM modules published to npm, Sigstore bundle format for non-OCI distribution, and verifying signatures in Wasmtime before instantiation.

WASM enables safe, user-space packet processing for network security applications — without eBPF's kernel privilege requirements. This guide covers WASM-based packet filters with libpcap, network security functions in WasmEdge, comparing WASM vs eBPF for security use cases, and safe packet dissection in WASM.

OPA's WASM compilation target enables portable policy evaluation, but WASM also enables entirely custom policy engines in any language. This guide covers OPA Rego-to-WASM, Cedar policy engine in WASM, Styra DAS, and building custom authorisation logic as a WASM module for embedding in applications and gateways.

WASM deployments using RSA or ECDH key exchange are vulnerable to harvest-now-decrypt-later attacks. This guide covers compiling NIST-standardised PQC algorithms (ML-KEM, ML-DSA) to WASM, WASI Crypto's PQC roadmap, performance implications of PQC in constrained WASM environments, and migration strategies for WASM-based TLS and signing.

WebAssembly 2.0 reference types let WASM code hold opaque handles to host objects. Insecure host bindings risk type confusion, use-after-free, and capability escalation across security boundaries. Build safe externref bindings with lifetime tracking, type tagging, and capability scoping.

WASM's deterministic execution, memory safety, and sandboxing make it attractive for regulated environments — but FDA, ISO 26262, and IEC 62443 impose requirements around verification, validation, and safety certification. This guide covers WASM in safety-critical systems, formal verification approaches, and regulatory compliance considerations.

Remote parties can't trust a WASM execution result unless they can verify the runtime is unmodified and running the expected module. This guide covers runtime attestation using TPM measurements, TEE integration with confidential containers, module hash verification, and building attestable WASM execution services.

eBPF and Falco are blind inside WASM sandboxes — security visibility requires WASM-level instrumentation. This guide covers Wasmtime linker-based host function wrapping, component-model monitoring components, OpenTelemetry from WASM, and detecting anomalous execution patterns through instrumented runtimes.

A WASM module compiled from Rust carries dozens of crate dependencies — none visible from the binary alone. This guide covers SBOM generation for WASM modules with syft and cargo-sbom, attaching provenance attestations as OCI referrers, verifying module lineage before deployment, and WASM-specific supply chain policy enforcement.

The WASM sandbox prevents direct syscalls — but the runtime process still needs OS access, and a sandbox escape leads to unrestricted syscall access. Applying a seccomp profile to the WASM runtime process limits the blast radius of runtime vulnerabilities, complementing the WASM sandbox with a kernel-level enforcement layer.

A complete WASM security testing programme combines static analysis of WASM bytecode, dynamic testing with resource monitoring, differential testing across runtimes, host boundary fuzzing, and supply chain verification. This guide provides a structured methodology and toolchain for security engineers deploying WASM in production.

WASM components communicate only through typed WIT interfaces — there is no shared memory between components. This architectural property eliminates entire classes of lateral movement and memory disclosure attacks. This guide explains how to design secure shared-nothing WASM systems with wasmCloud and the Component Model.

WASM SIMD128 exposes subtle timing side channels that break constant-time guarantees in cryptographic code. Learn when SIMD is safe, when it leaks secrets, and how to harden SIMD-accelerated WASM workloads against speculative execution and memory disclosure attacks.

WASM smart contracts in CosmWasm and NEAR inherit WASM sandboxing but introduce blockchain-specific risks: integer overflow in token math, reentrancy via cross-contract calls, and unsafe upgrade patterns. This guide covers audit methodology, secure coding patterns, and testing for Rust-based WASM contracts.

WebKit's BBQ/OMG JIT tiers, conservative Spectre mitigations, iOS JIT restrictions, WKWebView bridge security, and mobile-specific WASM threats require a hardening strategy distinct from desktop V8 deployments.

The Axios attack needed fast, portable scanning tools deployable anywhere. WASM-compiled security scanners run on any platform without installation, with WASI capability sandboxing, and verifiable reproducible builds — the ideal CI supply chain tool format.

CVE-2026-34971 allows WASM guest code to read/write arbitrary host memory on aarch64 via a Cranelift code generation bug. Affects AWS Graviton, Apple M-series, and ARM edge devices. Patch to Wasmtime 43.0.1+, audit aarch64 deployments, and harden against compiler-level sandbox escapes.

CVE-2026-34941 leaks one byte of host memory per string transcoding call in Wasmtime's component model. Affects all architectures. Repeated calls enable multi-byte information disclosure from host memory adjacent to WASM linear memory.

Harden the cargo-component WASM component build pipeline against proc-macro execution, build.rs supply chain attacks, and the Bytecode Alliance's inconsistent CVE process for tooling.

The Axios RAT had unrestricted network and filesystem access via a postinstall hook. A WASM/WASI sandbox grants postinstall scripts only what they need — a build directory and no network — so a compromised package cannot reach C2 or exfiltrate credentials.

CISA's OT Zero Trust guidance requires application-layer capability enforcement. WASM + WASI provides a sandboxing model for OT edge plugins where each vendor module gets only the network socket or filesystem access it needs — no more.

CISA recommends protocol-aware OT monitoring. Compiling Modbus, DNP3, and EtherNet/IP parsers to WASM provides memory-isolated, fuzz-tested parsing — a corrupt protocol frame cannot escape the sandbox to compromise the monitoring tool.

Harden Wasmer-based WASM deployments by understanding its JIT compiler attack surface, the absence of a formal CVE process, and tracking silent fixes across Cranelift, LLVM, and Singlepass backends.

CVE-2026-27195 crashes the Wasmtime host process when a guest component's async call future is dropped before completion. Learn how to harden async component deployments with timeouts, isolation, and upgrade controls.

Understand the security model of jco-transpiled WASM components running in Node.js and Deno, including capability leakage risks, host function exposure, and jco's lack of a formal CVE process.

Secure WebAssembly ahead-of-time compilation pipelines by hardening the compiler toolchain, signing AOT artifacts, validating inputs, and isolating the compilation environment.

Analyze security implications of the WebAssembly exception handling v2 proposal—cross-trust-boundary exception propagation, try_table instruction risks, and tracking silent fixes in Wasmtime and V8.

Analyze security implications of the WebAssembly memory64 proposal—64-bit linear memory, integer overflow risks, pointer arithmetic, and tracking silent security fixes in Wasmtime and V8.

Analyze security implications of the WebAssembly tail calls proposal—stack frame elimination breaking depth limits and call-stack audit tools—with tracking of silent implementation fixes in Wasmtime and V8.

Harden Wasmtime deployments against CVE-2026-27572 wasi:http header DoS and CVE-2026-27204 resource exhaustion—configuring guest resource limits to prevent host process termination.

Extism provides a universal plugin system built on WebAssembly. The host/guest security model limits what plugins can access, but misconfigured host functions, overpermissive memory sharing, and unverified plugin binaries break the sandbox. Securing Extism means controlling what the host exposes, not just what WASM provides.

OPA compiles Rego policies to WebAssembly for embedding in applications, edge functions, and API gateways without a sidecar. The compiled bundle evaluates policies in a WASM sandbox, but the sandbox's security depends on correct bundle signing, input validation, and cache isolation.

WebAssembly's component model enables dynamic module composition — linking multiple WASM modules at runtime into a single application. This creates trust boundary questions: when modules import functions from each other, which module's security context applies, and how do you prevent a low-trust module from abusing a high-trust module's exports?

WebAssembly's linear memory model provides strong isolation between the WASM heap and the host, but it does not prevent within-sandbox buffer overflows, use-after-free, or stack smashing. Understanding what WASM's memory model protects and what it doesn't determines where additional defences are needed.

WASM binaries are produced by compiler toolchains — Emscripten, wasi-sdk, wasm-pack, cargo/rustc. Insecure compiler flags introduce vulnerabilities (stack overflow, missing bounds checks); unsigned build artefacts enable supply chain substitution; and toolchain dependency vulnerabilities propagate into every binary the toolchain produces.

Analyze WasmGC's new attack surface in multi-tenant WASM runtimes: GC object escape, type confusion in struct hierarchies, finalizer abuse, and cross-tenant reference leaks.

Browser-hosted WASM has a distinct attack surface from server-side WASM. CSP directives, cross-origin isolation for SharedArrayBuffer, and SRI hashes prevent XSS-based WASM injection and module substitution.

Production WASM modules often ship with name sections, debug symbols, and source maps that expose function names, variable names, and original source structure. Stripping them protects proprietary logic.

wasmCloud's actor model isolates components behind capability contracts. Security rests on NKEY-based actor identity, lattice authentication via NATS, and OCI-signed actor distribution.

WasmEdge runs AI inference workloads, plugins, and serverless functions inside a WASM sandbox. Securing the runtime requires capability-based access control, plugin isolation, socket permission limits, and supply chain verification of the modules being executed.

Fermyon Spin 2.x runs WASM components as serverless-style handlers. Each component's network, filesystem, and secret access requires explicit capability grants. Defaults are strict; misconfiguration opens broad access.

Security-side WASM (auth filters, policy engines, MCP plugins) must be sub-millisecond to deploy at request rate. Pre-compilation and snapshotting get you there.

WASM lets you ship logic to constrained devices without firmware updates. The runtime, the trust model, and the OTA pipeline all need careful design.

Plugin systems built on WASM have a recurring shape. Threat-modeling that shape catches the structural mistakes before deployment.

WASM threading via SharedArrayBuffer re-opens Spectre-class timing attacks. Cross-origin isolation, per-tenant memory isolation, and atomics hygiene are required before enabling threads.

Edge runtimes execute untrusted customer code in shared processes. The hardening contract is the platform's, but the customer code's behavior decides the blast radius.

WASM plugins run inline in the data path. A misconfigured plugin can exhaust memory, leak tenant data, or crash the proxy. The defaults need explicit caps.

ngx_wasm_module brings the proxy-wasm protocol to NGINX. Plugin authoring is similar to Envoy, but the worker model and hardening surface differ.

WASM is the easy case for reproducibility — no dynamic linking, no runtime variance. Most teams still ship non-reproducible builds. The fix is small.

WASI HTTP servers are a clean platform-neutral pattern. The hardening is at the application layer — body limits, header allowlists, response shaping, and panic semantics.

Preview 2 replaces Preview 1's coarse imports with explicit, scoped, capability-passing interfaces. The security story is the actual reason to migrate.

wasi:sockets/tcp and wasi:sockets/udp give WASM modules network access. The capability model is fine-grained — most embedders use it as a coarse on/off switch.