SOC 2 for ISVs — A 2026 Refresh of the Series Series Recap
A short note on why I refreshed the 5-part SOC 2 for ISVs series in 2026 — modernized imagery, and a reset of my own field knowledge from +-5-7 years of customer engagements.
DevOps, Platforms, and AI-driven delivery
Practitioner notes on SRE, Platform Engineering, Kubernetes, and how AI changes the way we ship. DevOps, SRE, Platform Engineering, and AI-driven delivery — by Haggai Philip Zagury.
Featured
FedRAMP, From the Platform Side — Part 1: Why You Probably Need a Partner Part 1
A platform engineer's take on starting the FedRAMP journey from outside the US — why a third-party partner matters, and what the '90 days' promise really means in 2026.
Rebuilding for Compliance, Part 1: A Supply Chain Security Primer Part 1
SBOM, provenance, SLSA, cosign — and how FIPS 140-2/3 and FedRAMP land on your container images. A practitioner's map before the rebuild begins.
Latest
The Infrastructure Wall: Why Your Agent Demo Died in Production
Everyone prototypes an AI agent in a weekend. Almost nobody ships it cleanly. Here's the wall you're about to hit — and how the platform is evolving to remove it.
FedRAMP, From the Platform Side — Part 3: Where FIPS Lives Inside FedRAMP Part 3
FIPS-validated crypto is a hard requirement inside a FedRAMP boundary — not a best practice. A practitioner's walkthrough of where FIPS lands across 800-53 control families, and how the Building for Compliance supply-chain work maps onto it.
FedRAMP, From the Platform Side — Part 2: The Basics Part 2
A platform engineer's plain-English walkthrough of what FedRAMP actually is — impact levels, the document set (SSP, SAR, POA&M), the ATO process, and how Rev5 and 20x change the picture in 2026.
My Personal Blog Stack: Astro + GitHub Pages = Zero Excuses Not to Write
How I set up my personal blog and portfolio using Astro and GitHub Pages — zero cost, full control, and a git push away from publishing.
Rebuilding for Compliance, Part 4: From Signed Image to Verified Pipeline Part 4
Wiring a signed Wolfi toolchain image into a real consumer pipeline, verifying it at deploy time with Sigstore policy-controller, and digest-pinning with Renovate — the series finale.
The Reverse Tunnel: ngrok, Cloudflare Tunnel, and the Service That Dials Out Part 8
ngrok, cloudflared, Tailscale Funnel, frp — a practitioner's map of reverse tunnels: how they work, when they're production-grade, and how they fit the Zero Trust picture.
Compliance, Cloud, and Consulting from Anywhere Part 7
The finale of the Zero Trust series: where compliance frameworks meet ZTNA, how the hyperscalers ship it natively, and what twenty years of remote-access evolution means for working practitioners.
Zero Trust Networking: Identity Meets the Network Part 6
ZTNA is what you get when you stop treating the network as the trust boundary and make every packet a policy decision against identity. A practitioner's map of the model, the vendors, and the DNS turn.
Identity Is the New Perimeter: AuthN, AuthZ, MFA, and Why They Matter Part 5
OAuth is authorization. OIDC is identity. MFA is necessary but not sufficient. A practitioner's map of AuthN, AuthZ, federation, and the DevOps use cases that live on top.
WireGuard: Why Simpler Won Part 4
WireGuard won because it's boring — a short config, a fixed crypto suite, and a kernel module the size of a caffeine habit. Here's the practitioner's case for it in 2026.
VPNs: OpenVPN, IPsec, and the TLS Tunnel Part 3
VPNs extended the trust boundary over the public internet — and preserved the flaw at the heart of it. A practitioner's tour of OpenVPN, IPsec, split-DNS, and the DPI blocking era.
Rebuilding for Compliance, Part 3: Building Secure Containers on Wolfi Part 3
Part 3 — how I put Wolfi, syft, grype, and cosign to work in hagzag/tools: a CI toolchain image with SBOM validation, keyless signing, and a single-command local loop.