All posts
-
The AI Headcount Panic, Bad Bets, and Lost Knowledge 0Companies across the globe—and Israeli high-tech especially—are mass-laying off in the name of AI. But is AI really the reason, or just the best available excuse?
-
Cilium in Practice — A Three-Part Series on eBPF Networking, EKS, and FedRAMP 0 Series RecapThree forces pushed Cilium onto my roadmap: a VPC-CNI silent-drop bug, a FedRAMP project, and a pattern in every recent breach I've reviewed. Here's the series.
-
The Infrastructure Wall: Why Your Agent Demo Died in ProductionEveryone prototypes an AI agent in a weekend. Almost nobody ships it cleanly. Here's the wall you're about to hit — and how the platform is evolving to remove it.
-
FedRAMP, From the Platform Side — Part 3: Where FIPS Lives Inside FedRAMP Part 3FIPS-validated crypto is a hard requirement inside a FedRAMP boundary — not a best practice. A practitioner's walkthrough of where FIPS lands across 800-53 control families, and how the Building for Compliance supply-chain work maps onto it.
-
FedRAMP, From the Platform Side — Part 2: The Basics Part 2A platform engineer's plain-English walkthrough of what FedRAMP actually is — impact levels, the document set (SSP, SAR, POA&M), the ATO process, and how Rev5 and 20x change the picture in 2026.
-
SOC 2 for ISVs — A 2026 Refresh of the Series Series RecapA short note on why I refreshed the 5-part SOC 2 for ISVs series in 2026 — modernized imagery, and a reset of my own field knowledge from +-5-7 years of customer engagements.
-
FedRAMP, From the Platform Side — Part 1: Why You Probably Need a Partner Part 1A platform engineer's take on starting the FedRAMP journey from outside the US — why a third-party partner matters, and what the '90 days' promise really means in 2026.
-
My Personal Blog Stack: Astro + GitHub Pages = Zero Excuses Not to WriteHow I set up my personal blog and portfolio using Astro and GitHub Pages — zero cost, full control, and a git push away from publishing.
-
Zero Trust Network Access in CI/CD: Cloudflare WARP for Private Endpoint Connectivity in GitHub Actions 0How to connect GitHub Actions runners to private infrastructure using Cloudflare Zero Trust WARP and a service account — enabling Terragrunt to reach private endpoints without IP allowlisting.
-
Rebuilding for Compliance, Part 4: From Signed Image to Verified Pipeline Part 4Wiring a signed Wolfi toolchain image into a real consumer pipeline, verifying it at deploy time with Sigstore policy-controller, and digest-pinning with Renovate — the series finale.
-
The Reverse Tunnel: ngrok, Cloudflare Tunnel, and the Service That Dials Out Part 8ngrok, cloudflared, Tailscale Funnel, frp — a practitioner's map of reverse tunnels: how they work, when they're production-grade, and how they fit the Zero Trust picture.
-
Compliance, Cloud, and Consulting from Anywhere Part 7The finale of the Zero Trust series: where compliance frameworks meet ZTNA, how the hyperscalers ship it natively, and what twenty years of remote-access evolution means for working practitioners.
-
Zero Trust Networking: Identity Meets the Network Part 6ZTNA is what you get when you stop treating the network as the trust boundary and make every packet a policy decision against identity. A practitioner's map of the model, the vendors, and the DNS turn.
-
Identity Is the New Perimeter: AuthN, AuthZ, MFA, and Why They Matter Part 5OAuth is authorization. OIDC is identity. MFA is necessary but not sufficient. A practitioner's map of AuthN, AuthZ, federation, and the DevOps use cases that live on top.
-
WireGuard: Why Simpler Won Part 4WireGuard won because it's boring — a short config, a fixed crypto suite, and a kernel module the size of a caffeine habit. Here's the practitioner's case for it in 2026.
-
VPNs: OpenVPN, IPsec, and the TLS Tunnel Part 3VPNs extended the trust boundary over the public internet — and preserved the flaw at the heart of it. A practitioner's tour of OpenVPN, IPsec, split-DNS, and the DPI blocking era.
-
Rebuilding for Compliance, Part 3: Building Secure Containers on Wolfi Part 3Part 3 — how I put Wolfi, syft, grype, and cosign to work in hagzag/tools: a CI toolchain image with SBOM validation, keyless signing, and a single-command local loop.
-
SSH and the Cryptographic Turn Part 2SSH replaced telnet in a few years and still runs everything three decades later. Here's why 'SSH is solved' is the most dangerous sentence in your runbook.
-
From Trusted Wires to the Open Internet Part 1Why telnet, rsh, and finger made sense once — and why every modern remote-access control traces back to the moment the wire stopped being trusted.
-
Rebuilding for Compliance, Part 2: Rebuilding on Wolfi OS Part 2Wolfi OS, apko, melange, and Chainguard's daily rebuild model — a practitioner's evaluation of the open-source path to low-CVE, FIPS/FedRAMP-ready images.
-
Rebuilding for Compliance, Part 1: A Supply Chain Security Primer Part 1SBOM, provenance, SLSA, cosign — and how FIPS 140-2/3 and FedRAMP land on your container images. A practitioner's map before the rebuild begins.
-
From API to Owned: MiniMax M2.7, Gemma 4, and the Case for Running Models on Your LaptopTwo major open-source model releases in one week signal a tipping point. Here's why I'm running capable agent models on my own hardware — and how you can too.
-
ClawJacked, Axios, and the Autonomous Agent ProblemA practitioner's field notes on March 2026: OpenClaw's CVE flood, the Axios npm RAT, and why self-hosted autonomous agents are standing in the blast zone.
-
I Want a Personal Agent. I'm Not Running One Yet — Here's What Would Change ThatPart 2: sandboxing with agent-sandbox, evaluating nanobot and nanoclaw, prompt injection realities, and the pre-flight checklist before I trust an autonomous agent.
-
Andrej Karpathy Just Made RAG Obsolete — And All You Need Is Three FoldersAndrej Karpathy dropped a paradigm-shifting gist on building personal knowledge bases with LLMs — no vector DB, no embeddings, just raw/wiki/output folders. Here's what it means for the rest of us.
-
The Agent Cost Wars — Updated: GLM-5, M2.7, and What the Leaderboard Actually Tells UsA follow-up to my MiniMax M2.5 piece — challenging my own assumptions with fresh Artificial Analysis data, GLM-5, M2.7, and what this means for coders in 2026.
-
The View from Outside the Glass: Why Growing Organizations Need the Outsider's MirrorHow a consultant's external perspective helps scaling organizations shift from reactive execution to intentional alignment — and why staying silent is the real failure.
-
The $1,892 Agent: MiniMax M2.5 and the Dawn of Always-On IntelligenceMiniMax M2.5 achieves near-Opus 4.6 performance at 3% the cost. What this means for always-on agents, the SWE-bench, and the falling cost of intelligence.
-
AWS KMS Best Practices: Securing the Secret Ingredients of Your InfrastructureAWS KMS gives you three flavors of encryption keys. For anything resembling production, CMKs are the only real choice. This post covers key granularity, aliases, ransomware shields, and cross-account access patterns.
-
AWS Landing Zone Accelerator — When Multi-Account Governance Gets RealHow AWS Landing Zone Accelerator (LZA) turns YAML configs into governed multi-account environments with Transit Gateway isolation, NACLs, and HIPAA-ready networking.
- DNS Series Glossary — The Terms That Keep Showing Up
A practical glossary for the DNS Evolution in Practice series: core DNS records, service discovery terms, traffic management concepts, and DNS security vocabulary.
-
DNS — The Internet's Quiet Backbone: A Series Introduction Series RecapWhy I'm writing a four-part DNS series in 2026. Notes from 25 years of teaching the topic that most engineers — and most curricula — quietly underestimate.
-
DNS, Part 4 — When DNS Lies: Cache Poisoning, Spoofing, and How to Defend Yourself Part 4How DNS attacks actually work — Kaminsky, Sea Turtle, MyEtherWallet, DigiNotar — and the layered defenses that hold up: DNSSEC, DoH, CAA, registrar lock.
-
DNS, Part 3 — DNS as a Load Balancer: AWS, GCP, Azure and the L3-to-L7 Stack Part 3How DNS sits in front of cloud load balancers, what each LB tier actually sees, and the brutal truth about TTLs in multi-region high availability.
-
DNS, Part 2 — DNS at Scale: Service Discovery with Consul and CoreDNS Part 2How ephemeral cloud-native workloads broke traditional DNS, and how Consul and CoreDNS rebuilt it as a real-time service catalog.
-
DNS, Part 1 — From /etc/hosts to BIND-9: The Origin Story Every SRE Should Know Part 1A practitioner's tour of DNS — from the hosts file era and BIND at Berkeley to CoreDNS in Kubernetes — and the record types every engineer should actually understand.
-
Cilium, Part 1 — Hands-On With eBPF Network Policies on k3d Part 1A practitioner's k3d lab for Cilium: install it next to your laptop, walk a CiliumNetworkPolicy progression from default-deny to L7 HTTP filtering, and read the drops in Hubble.
-
-
-
-
-
-
-
SOC 2 for ISVs, Part 5: Surviving the Audit and What Comes After Part 5Choosing an auditor, surviving the Type II observation window, common findings, and how SOC 2 becomes the foundation for ISO 27001, HIPAA, and FedRAMP.
-
-
-
SOC 2 for ISVs, Part 4: Continuous Compliance — Making SOC 2 a Byproduct, Not a Project Part 4How to turn SOC 2 from a yearly fire drill into a byproduct of how you build — AWS SCPs, GCP Org Policies, OPA, drift detection, and automated evidence collection.
-
SOC 2 for ISVs, Part 3: From Zero to Audit-Ready — The Technical Foundation Part 3How to map SOC 2 controls to your AWS, GCP, and Kubernetes stack — IAM, logging, encryption, change management, and what auditors actually want to see.
-
SOC 2 for ISVs, Part 2: The Five Trust Service Criteria, Demystified Part 2What the five SOC 2 Trust Service Criteria actually mean, which are mandatory, and how to scope your audit so it doesn't sprawl. Part 2 of 5.
-
SOC 2 for ISVs, Part 1: The Price of Admission to the Enterprise Part 1Why SOC 2 has become non-negotiable for ISVs selling to enterprises — and what it actually costs to skip it. Part 1 of a 5-part series.
-
-
-
-
-
-
There’s no place like K3d continued — 2 — scaling with KEDAA hands-on lab using K3d and KEDA to demonstrate horizontal scaling patterns for event-driven workloads.
-
Planning a production ready kubernetes with fundamental Controllers & Operators — Part 5 — Scheduling Part 5Why scheduling, resource requests, and controller loops matter when designing a production-ready Kubernetes platform.
-
-
-
-
-
Navigating the Complexity of Modern Development: Introducing the Self-Service Development EnvironmentWhy self-service development environments matter for modern teams and how automation, standardization, and templates reduce onboarding friction.
-
Why blog in 2024 ? | A Reflection on Diversity of thought and the Power of anecdotesPersonal reflections on writing, collaboration, and the value of storytelling in the 2024 tech community.
-
Free & Secure Local Development: Bitwarden Secrets Manager with K3d + WalkthroughThis post will show you how to secure your local development environment by using Bitwarden Secrets Manager with K3d.
-
Infrastructure as Code: Navigating Declarative and Imperative ApproachesExplore the nuances of declarative and imperative Infrastructure as Code (IaC) approaches. Learn how to choose the right method for your team and project needs, with insights from real-world experiences using tools like Terraform, AWS CDK, and Pulumi.
-
-
-
Doing literally anything with go-task and why should ya?Explore how go-task can transform your development workflow by providing a modern, cloud-native task runner alternative to traditional Makefiles.
-
-
-
-
Kubexperience for developersA walkthrough of the Kubexperience workshop for developers, covering Kubernetes fundamentals, demos, and resources.
-
From yak shaving to mastering tasksDiscover how go-task can transform your development workflow by eliminating yak shaving and streamlining task management.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
👨🏼🔬 > 🥷🏼 | UpSkillin’ the Dev in DevOpsWhy DevOps engineers must deepen their software engineering craft and how to plan the skills journey.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-