SOC 2 for ISVs — A 2026 Refresh of the Series Series Recap
A short note on why I refreshed the 5-part SOC 2 for ISVs series in 2026 — modernized imagery, and a reset of my own field knowledge from +-5-7 years of customer engagements.
DevOps, Platforms, and AI-driven delivery
Practitioner notes on SRE, Platform Engineering, Kubernetes, and how AI changes the way we ship. DevOps, SRE, Platform Engineering, and AI-driven delivery — by Haggai Philip Zagury.
Featured
FIPS, FedRAMP & Beyond — Part 1: Why Your Company Should Care
A field guide for R&D teams on FIPS 140-3 and FedRAMP — starting with why these certifications matter, what they cost, and how SOC 2 fits into the roadmap.
Rebuilding for Compliance, Part 1: A Supply Chain Security Primer Part 1
SBOM, provenance, SLSA, cosign — and how FIPS 140-2/3 and FedRAMP land on your container images. A practitioner's map before the rebuild begins.
Latest
My Personal Blog Stack: Astro + GitHub Pages = Zero Excuses Not to Write
How I set up my personal blog and portfolio using Astro and GitHub Pages — zero cost, full control, and a git push away from publishing.
Rebuilding for Compliance, Part 4: From Signed Image to Verified Pipeline Part 4
Wiring a signed Wolfi toolchain image into a real consumer pipeline, verifying it at deploy time with Sigstore policy-controller, and digest-pinning with Renovate — the series finale.
The Reverse Tunnel: ngrok, Cloudflare Tunnel, and the Service That Dials Out Part 8
ngrok, cloudflared, Tailscale Funnel, frp — a practitioner's map of reverse tunnels: how they work, when they're production-grade, and how they fit the Zero Trust picture.
Compliance, Cloud, and Consulting from Anywhere Part 7
The finale of the Zero Trust series: where compliance frameworks meet ZTNA, how the hyperscalers ship it natively, and what twenty years of remote-access evolution means for working practitioners.
Zero Trust Networking: Identity Meets the Network Part 6
ZTNA is what you get when you stop treating the network as the trust boundary and make every packet a policy decision against identity. A practitioner's map of the model, the vendors, and the DNS turn.
Identity Is the New Perimeter: AuthN, AuthZ, MFA, and Why They Matter Part 5
OAuth is authorization. OIDC is identity. MFA is necessary but not sufficient. A practitioner's map of AuthN, AuthZ, federation, and the DevOps use cases that live on top.
WireGuard: Why Simpler Won Part 4
WireGuard won because it's boring — a short config, a fixed crypto suite, and a kernel module the size of a caffeine habit. Here's the practitioner's case for it in 2026.
VPNs: OpenVPN, IPsec, and the TLS Tunnel Part 3
VPNs extended the trust boundary over the public internet — and preserved the flaw at the heart of it. A practitioner's tour of OpenVPN, IPsec, split-DNS, and the DPI blocking era.
Rebuilding for Compliance, Part 3: Building Secure Containers on Wolfi Part 3
Part 3 — how I put Wolfi, syft, grype, and cosign to work in hagzag/tools: a CI toolchain image with SBOM validation, keyless signing, and a single-command local loop.
SSH and the Cryptographic Turn Part 2
SSH replaced telnet in a few years and still runs everything three decades later. Here's why 'SSH is solved' is the most dangerous sentence in your runbook.
From Trusted Wires to the Open Internet Part 1
Why telnet, rsh, and finger made sense once — and why every modern remote-access control traces back to the moment the wire stopped being trusted.
Rebuilding for Compliance, Part 2: Rebuilding on Wolfi OS Part 2
Wolfi OS, apko, melange, and Chainguard's daily rebuild model — a practitioner's evaluation of the open-source path to low-CVE, FIPS/FedRAMP-ready images.