Articles

Every article follows the same structure: Problem, Threat Model, Configuration, Expected Behaviour, Trade-offs, and Failure Modes. No fluff.

AI & Security Landscape

AI & Security Landscape advanced 16 min read

Adversarial Attacks on Embeddings: Poisoning Vector Stores and Manipulating Semantic Search
AI & Security Landscape advanced 18 min read

Agent-to-Agent Trust: Authentication, Delegation, and Capability Boundaries in Multi-Agent Systems
AI & Security Landscape advanced 18 min read

Sandboxing AI Agent Tool Use: Filesystem, Network, and Process Isolation for Autonomous Actions
AI & Security Landscape advanced 18 min read

Verifying AI Agent Output: Deterministic Checks, Human-in-the-Loop Gates, and Rollback Safety
AI & Security Landscape intermediate 14 min read

Using AI to Harden Systems: Automated Configuration Review and Remediation
AI & Security Landscape advanced 16 min read

Hardening the AI Control Plane: Kill Switches, Rate Limits, and Human-in-the-Loop Gates
AI & Security Landscape advanced 18 min read

AI Credential Delegation: Short-Lived Tokens, Scope Narrowing, and Audit Trails for Agent Access
AI & Security Landscape advanced 19 min read

Building an AI Governance Pipeline: Automated Checks from Training to Production
AI & Security Landscape advanced 18 min read

AI Incident Reporting: Detection, Classification, and Response Procedures for AI System Failures
AI & Security Landscape intermediate 16 min read

AI Model Cards in Production: Documenting Capabilities, Limitations, and Security Properties
AI & Security Landscape advanced 16 min read

AI Supply Chain Attack Surface: Models, Datasets, and Inference Dependencies
AI & Security Landscape advanced 16 min read

AI-Powered Vulnerability Discovery: What Automated Code Analysis Means for Your Patch Cycle
AI & Security Landscape advanced 19 min read

Algorithmic Auditing: Testing AI Systems for Bias, Fairness, and Safety Before Deployment
AI & Security Landscape advanced 18 min read

Auditing AI Actions at Scale: Building Tamper-Proof Logs for Non-Human Actors
AI & Security Landscape advanced 18 min read

Detecting AI-Generated Attacks: Moving from Signatures to Behavioural Baselines
AI & Security Landscape advanced 18 min read

EU AI Act Compliance for Infrastructure Teams: Risk Classification, Documentation, and Technical Controls
AI & Security Landscape advanced 16 min read

LLM Jailbreak Defence: Detecting and Preventing System Prompt Bypasses in Production
AI & Security Landscape advanced 18 min read

Securing MCP Servers: Authentication, Tool Sandboxing, and Input Validation for Model Context Protocol
AI & Security Landscape advanced 16 min read

Membership Inference Defence: Preventing Attackers from Determining Training Data Inclusion
AI & Security Landscape advanced 16 min read

Model Extraction Prevention: Detecting and Blocking Model Stealing Through API Queries
AI & Security Landscape advanced 20 min read

Securing AI Agents in Production: Tool-Use Boundaries, Credential Scoping, and Output Verification
AI & Security Landscape advanced 16 min read

Training Data Extraction Prevention: Stopping Models from Leaking Memorised Data
AI & Security Landscape advanced 20 min read

How AI Is Compressing the Attacker Timeline: What Defenders Need to Change Now
AI & Security Landscape intermediate 18 min read

Claude, Mythos, and the Non-Human Infrastructure Consumer: Writing Hardening Guides for AI Agents
AI & Security Landscape advanced 20 min read

The Threat Model Has Changed: Rewriting Security Assumptions for an AI-Augmented World

Cross-Cutting Guides

Cross-Cutting Guides intermediate 16 min read

Compliance-as-Code: Mapping CIS Benchmarks to Automated Checks with InSpec and Kube-bench
Cross-Cutting Guides intermediate 14 min read

The Hardening Scorecard: Measuring and Tracking Security Posture
Cross-Cutting Guides beginner 18 min read

Security Hardening for Small Teams: Prioritising Controls When You Cannot Do Everything
Cross-Cutting Guides intermediate 15 min read

Incident Response Hardening Playbook: From Detection to Post-Mortem
Cross-Cutting Guides intermediate 18 min read

Securing Message Queues in Production: Kafka, RabbitMQ, and NATS Hardening
Cross-Cutting Guides intermediate 16 min read

Migrating from Self-Hosted Prometheus to Grafana Cloud: Preserving Dashboards, Alerts, and History
Cross-Cutting Guides advanced 22 min read

Migrating from Self-Managed Kubernetes to a Managed Provider Without Losing Your Security Posture
Cross-Cutting Guides advanced 15 min read

Multi-Cloud Hardening: Consistent Security Posture Across Providers
Cross-Cutting Guides intermediate 20 min read

Hardening PostgreSQL for Production: Authentication, Encryption, Row-Level Security, and Audit Logging
Cross-Cutting Guides intermediate 14 min read

Hardening Redis in Production: Authentication, TLS, ACLs, and Command Restriction
Cross-Cutting Guides advanced 15 min read

Security Infrastructure Disaster Recovery: Vault, PKI, and SIEM Failover
Cross-Cutting Guides advanced 16 min read

Zero Trust Networking: Identity-Based Access Beyond Perimeter Security
Cross-Cutting Guides advanced 35 min read

Hardening a Complete Kubernetes Platform: From Cluster Bootstrap to Production-Ready

Linux / OS Hardening

Linux / OS Hardening intermediate 22 min read

Automated OS Hardening with Ansible: A Production-Ready Playbook Collection
Linux / OS Hardening intermediate 14 min read

AppArmor Profiles for Custom Applications: From Complain Mode to Enforce
Linux / OS Hardening intermediate 16 min read

Linux Audit Framework Deep Dive: auditd Rules, auditctl, and ausearch for Security Monitoring
Linux / OS Hardening intermediate 15 min read

Cgroup v2 Resource Isolation: Preventing Resource Exhaustion Attacks on Shared Systems
Linux / OS Hardening intermediate 16 min read

Hardening Container Base Images: From ubuntu:latest to a Minimal, Signed, Scannable Image
Linux / OS Hardening intermediate 15 min read

Hardening DNS Resolution on Linux: systemd-resolved, Unbound, and DNS-over-TLS
Linux / OS Hardening intermediate 14 min read

Filesystem Mount Options That Matter: noexec, nosuid, nodev, and Beyond
Linux / OS Hardening advanced 14 min read

Hardening GRUB and the Boot Process: Secure Boot, Boot Passwords, and Tamper Detection
Linux / OS Hardening intermediate 13 min read

Kernel Module Hardening: Blacklisting, Signing, and Preventing Runtime Loading
Linux / OS Hardening intermediate 16 min read

Linux Firewall Hardening with nftables: Replacing iptables in Production
Linux / OS Hardening intermediate 14 min read

PAM Configuration Hardening: Password Policies, Login Controls, and MFA Integration
Linux / OS Hardening intermediate 13 min read

Hardening /proc and /sys: Restricting Kernel Information Disclosure
Linux / OS Hardening advanced 18 min read

SELinux in Production: Writing Custom Policies Without Losing Your Mind
Linux / OS Hardening intermediate 20 min read

SSH Hardening Beyond the Basics: Certificate Authentication, Jump Hosts, and Logging
Linux / OS Hardening intermediate 20 min read

systemd Unit Hardening: ProtectSystem, PrivateTmp, and the Full Sandbox Toolkit
Linux / OS Hardening intermediate 14 min read

Time Synchronization Security: Hardening NTP and Chrony Against Manipulation
Linux / OS Hardening intermediate 18 min read

Hardening the Linux Kernel Attack Surface with sysctl and Boot Parameters

Network & API Security

Network & API Security intermediate 22 min read

API Gateway Security: Authentication, Authorization, and Request Validation
Network & API Security intermediate 22 min read

gRPC Security in Production: TLS, Authentication, and Interceptor-Based Access Control
Network & API Security intermediate 18 min read

HTTP Security Headers in Production: CSP, HSTS, and Permissions-Policy Without Breaking Your App
Network & API Security intermediate 22 min read

Protecting Internal APIs: Network Segmentation, Authentication, and Access Logging
Network & API Security intermediate 18 min read

IPv6 Security in Production: Hardening Dual-Stack Deployments
Network & API Security intermediate 18 min read

Load Balancer Security: Health Check Abuse, Connection Draining, and TLS Termination
Network & API Security intermediate 22 min read

mTLS for Service-to-Service Communication: Istio, Linkerd, and DIY with cert-manager
Network & API Security intermediate 20 min read

Rate Limiting at the Ingress Layer: NGINX, Envoy, and Cloud Load Balancers Compared
Network & API Security intermediate 20 min read

Preventing HTTP Request Smuggling: Configuration for NGINX, HAProxy, and Envoy
Network & API Security intermediate 18 min read

TLS 1.3 Configuration for NGINX and Envoy: Ciphers, Certificates, and OCSP Stapling
Network & API Security intermediate 22 min read

WAF Rule Tuning That Does Not Break Legitimate Traffic: ModSecurity and Coraza in Practice
Network & API Security intermediate 18 min read

Hardening WebSocket Connections: Authentication, Rate Limiting, and Origin Validation
Network & API Security intermediate 18 min read

DNS Security for Production Infrastructure: DNSSEC, CAA Records, and Internal Resolution
Network & API Security intermediate 20 min read

NGINX Hardening Beyond TLS: Request Filtering, Buffer Limits, and Connection Controls

CI/CD & Supply Chain

CI/CD & Supply Chain advanced 16 min read

Artifact Integrity Verification: Checksums, Signatures, and Transparency Logs
CI/CD & Supply Chain intermediate 16 min read

Secret Management in CI/CD Pipelines: Vault, SOPS, and OIDC Federation
CI/CD & Supply Chain intermediate 16 min read

Container Registry Security: Access Control, Vulnerability Scanning, and Garbage Collection
CI/CD & Supply Chain intermediate 14 min read

Dependency Pinning and Lockfile Integrity: Preventing Supply Chain Attacks in CI
CI/CD & Supply Chain intermediate 16 min read

GitOps Security Model: Separation of Duties, Drift Detection, and Rollback Controls
CI/CD & Supply Chain intermediate 14 min read

Securing Helm Charts: Chart Signing, Value Injection, and Template Security
CI/CD & Supply Chain intermediate 14 min read

Pipeline-as-Code Security: Preventing CI Configuration Tampering
CI/CD & Supply Chain advanced 15 min read

Reproducible Builds for Container Images: Achieving Deterministic Output
CI/CD & Supply Chain intermediate 14 min read

Software Bill of Materials (SBOM) Generation and Consumption in CI/CD
CI/CD & Supply Chain intermediate 18 min read

Securing CI/CD Runners: Isolation, Credential Scoping, and Ephemeral Environments
CI/CD & Supply Chain intermediate 16 min read

Securing GitHub Actions: Permissions, Pinning, and Workflow Injection Prevention
CI/CD & Supply Chain advanced 16 min read

SLSA Provenance for Container Images: From Build to Admission Control
CI/CD & Supply Chain intermediate 16 min read

Terraform Security: State File Protection, Provider Pinning, and Plan Review Automation

Kubernetes / Platform

Kubernetes / Platform intermediate 17 min read

A/B Model Deployment Safety: Canary Rollouts, Traffic Splitting, and Automated Rollback for ML Models
Kubernetes / Platform intermediate 22 min read

Kubernetes Admission Control: From PodSecurity Standards to Custom OPA/Kyverno Policies
Kubernetes / Platform intermediate 13 min read

AI API Key Management: Rotation, Scoping, and Abuse Detection
Kubernetes / Platform advanced 17 min read

Building a Content Filtering Pipeline for LLM Applications: From Raw Input to Safe Output
Kubernetes / Platform advanced 16 min read

AI Data Leakage Prevention: Input Filtering, Output Scanning, and Audit Trails
Kubernetes / Platform advanced 18 min read

Implementing AI Guardrails: Input Validation, Output Filtering, and Safety Classifiers in Production
Kubernetes / Platform advanced 18 min read

AI Incident Forensics: Reconstructing What an AI System Did, Why, and What Data It Accessed
Kubernetes / Platform advanced 17 min read

AI Red Teaming Methodology: Structured Adversarial Testing for LLM Applications
Kubernetes / Platform advanced 15 min read

Network Segmentation for AI Training Infrastructure
Kubernetes / Platform intermediate 22 min read

Kubernetes API Server Hardening: Flags, Authentication, and Audit Logging
Kubernetes / Platform intermediate 22 min read

Kubernetes Audit Log Analysis: What to Log, How to Query, and What to Alert On
Kubernetes / Platform intermediate 18 min read

etcd Encryption at Rest: Configuration, Key Rotation, and Performance Impact
Kubernetes / Platform advanced 22 min read

Runtime Security with Falco on Kubernetes: Rules, Tuning, and Response Automation
Kubernetes / Platform advanced 18 min read

Securing Fine-Tuning Pipelines: Data Isolation, Checkpoint Integrity, and Access Control
Kubernetes / Platform intermediate 13 min read

GPU Cost and Security Monitoring: Detecting Abuse and Optimising Spend
Kubernetes / Platform advanced 16 min read

GPU Workload Isolation: MIG, MPS, and vGPU Security Boundaries
Kubernetes / Platform intermediate 20 min read

Kubernetes Image Policy Enforcement: Cosign, Notation, and Admission Webhooks
Kubernetes / Platform intermediate 16 min read

Hardening Model Inference Endpoints: Authentication, Rate Limiting, and Input Validation
Kubernetes / Platform intermediate 21 min read

Hardening Kubernetes Ingress Controllers: NGINX, Traefik, and Envoy Compared
Kubernetes / Platform intermediate 14 min read

Jupyter Notebook Security: Authentication, Isolation, and Data Protection
Kubernetes / Platform intermediate 18 min read

Kubelet Security Configuration: Authentication, Authorization, and Read-Only Port
Kubernetes / Platform advanced 18 min read

LLM Observability in Production: Monitoring Latency, Token Usage, Safety Violations, and Drift
Kubernetes / Platform intermediate 14 min read

Observability for LLM Applications: Token Usage, Latency Anomalies, and Output Classification
Kubernetes / Platform advanced 14 min read

Securing Model Artifact Pipelines: From Training to Serving
Kubernetes / Platform intermediate 16 min read

Model Registry Access Control: Versioning, Signing, and Promotion Gates
Kubernetes / Platform intermediate 16 min read

Hardening Model Serving Frameworks: TorchServe, Triton, and vLLM Security Configuration
Kubernetes / Platform intermediate 20 min read

Multi-Tenancy Hardening in Kubernetes: Namespace Isolation, Resource Quotas, and Network Boundaries
Kubernetes / Platform intermediate 22 min read

Kubernetes Network Policies That Actually Work: From Default Deny to Microsegmentation
Kubernetes / Platform intermediate 22 min read

Kubernetes Node Hardening: From OS Configuration to kubelet Lockdown
Kubernetes / Platform intermediate 20 min read

Pod Security Context Deep Dive: runAsNonRoot, readOnlyRootFilesystem, and Capabilities
Kubernetes / Platform advanced 16 min read

Prompt Injection Defence in Production: Input Validation, Output Filtering, and Monitoring
Kubernetes / Platform advanced 16 min read

Securing RAG Pipelines: Vector Database Access Control, Document Poisoning, and Retrieval Filtering
Kubernetes / Platform intermediate 20 min read

Kubernetes RBAC Design Patterns: Least Privilege Without Paralysing Developers
Kubernetes / Platform advanced 17 min read

RLHF Data Protection: Securing Human Feedback Loops, Preference Data, and Reward Models
Kubernetes / Platform intermediate 18 min read

Hardening the Kubernetes Scheduler: Topology Constraints and Security-Aware Placement
Kubernetes / Platform intermediate 20 min read

Seccomp Profiles for Production Workloads: Writing, Testing, and Deploying Custom Profiles
Kubernetes / Platform intermediate 20 min read

Kubernetes Secrets Management: External Secrets Operator, Vault, and Sealed Secrets
Kubernetes / Platform intermediate 19 min read

Kubernetes Service Account Token Security: Bound Tokens, Projected Volumes, and OIDC
Kubernetes / Platform intermediate 18 min read

Vector Database Security: Access Control, Embedding Protection, and Query Isolation

Observability & Detection

Observability & Detection advanced 22 min read

Building a Security Audit Log Pipeline That Scales: auditd to Elasticsearch
Observability & Detection intermediate 20 min read

Centralized Logging Architecture for Security: Fluentd, Vector, and Loki Compared
Observability & Detection intermediate 15 min read

Certificate Expiry Monitoring: Automated Detection Across TLS, mTLS, and Signing Certificates
Observability & Detection advanced 18 min read

Container Escape Detection: Runtime Signals, Kernel Indicators, and Response Automation
Observability & Detection intermediate 15 min read

Crypto Mining Detection: CPU Patterns, Network Signatures, and Automated Response
Observability & Detection advanced 18 min read

Building Detection Rules That Don't Cry Wolf: Alert Design for Security Events
Observability & Detection advanced 18 min read

eBPF-Based Security Monitoring: Tetragon for Process, Network, and File Observability
Observability & Detection intermediate 17 min read

Incident Response Runbooks: Structured Procedures for Common Security Events
Observability & Detection advanced 16 min read

Kubernetes Audit Log Pipeline Design: From API Server to SIEM
Observability & Detection advanced 18 min read

Lateral Movement Detection: Network Patterns, Authentication Anomalies, and Alert Correlation
Observability & Detection advanced 16 min read

Log Integrity and Tamper Detection: Ensuring Your Audit Trail Is Trustworthy
Observability & Detection advanced 16 min read

OpenTelemetry for Security: Distributed Tracing of Authentication and Authorization Flows
Observability & Detection intermediate 18 min read

Security-Relevant Prometheus Metrics: What to Collect, How to Alert, When to Page
Observability & Detection intermediate 14 min read

Security Dashboards That Engineers Actually Use: Grafana Designs for Hardening Verification