// Topic

Security

Definition

Security coverage in this archive spans 37 posts from May 2016 to Apr 2026 and frames security as continuous risk reduction instead of one-time policy work. The strongest adjacent threads are ai, devops, and incident response. Recurring title motifs include security, ai, engineering, and container.

Key claims

The strongest pattern is operational: security controls are effective only when they are embedded in delivery flow.
Early posts lean on security and incident, while newer posts lean on ai and security as constraints shifted.
This topic repeatedly intersects with ai, devops, and incident response, so design choices here rarely stand alone.

Practical checklist

Map threats to concrete controls, then tie each control to an owner and an observable signal.
Start with the newest post to calibrate current constraints, then backtrack to older entries for first principles.
When boundary questions appear, cross-read ai and devops before committing implementation details.

Failure modes

Treating compliance checklists as a substitute for runtime detection and response.
Adding controls no one owns, tests, or rehearses under incident pressure.
Applying guidance from 2016 to 2026 without revisiting assumptions as context changed.

Suggested reading path

Start here (current state): Sovereign Systems: Building for a World Where Data Privacy Is Non-Optional
Then read (operating middle): Your Software Supply Chain Is Probably a Mess
Finish with (foundational context): Security Incident Response for Startups

References

38 posts

AI Governance Without Bureaucracy May 7, 2026 · 2 min Effective AI governance is tighter defaults, clearer ownership, and faster escalation — not more committees. governance ai security

Sovereign Systems: Building for a World Where Data Privacy Is Non-Optional April 6, 2026 · 6 min Privacy is an architecture constraint, not a feature toggle. Teams that build sovereignty into their systems early avoid painful retrofits and close enterprise deals faster. privacy security data-residency

AI Security: Evolving Threats and Defenses February 23, 2026 · 7 min As of late February 2026, AI security is defined by adaptive attacks and layered, operational defenses. security ai threats

AI Privacy Is a Plumbing Problem, Not a Policy Problem September 15, 2025 · 5 min Privacy in AI systems fails in the implementation details -- what gets logged, who can replay prompts, how long artifacts linger. Treat it as infrastructure, not a compliance checkbox. privacy ai data

AI Security: Same Principles, New Attack Surface April 28, 2025 · 5 min AI systems are exposed APIs with real blast radius. The threats are injection, leakage, and tool misuse. The defenses are the same ones we've always needed -- just applied to a new surface. security ai threats

AI Safety Is Just Production Engineering November 11, 2024 · 5 min AI safety in production isn't a research problem. It's defense in depth, the same way cyber defense works -- layered controls, assumed breach, observable boundaries. ai safety production

AI Compliance Without the Theater June 10, 2024 · 5 min Compliance doesn't have to slow you down. But you have to build it into the system from day one, not bolt it on after the demo impresses the board. ai compliance enterprise

LLM Security: A Field Guide for People Who Ship Things October 30, 2023 · 6 min LLMs introduce security failure modes that most teams are not defending against. Prompt injection, data leakage, tool abuse, and cost attacks are real and exploitable today. security llm ai

Responsible AI Is Just Risk Management. Treat It That Way. October 16, 2023 · 3 min Responsible AI is not an ethics committee. It is operational risk management, and teams that treat it otherwise are building liabilities. ai security risk-management

AI Safety Is Just Security Engineering With Extra Steps March 20, 2023 · 4 min AI safety is not a philosophy problem for engineers. It is reliability, security, and accountability applied to a new kind of system. ai safety security

Container Scanning Without the Security Theater July 11, 2022 · 4 min Most container scanning setups generate noise, not security. Here is how to build a pipeline that actually catches what matters. containers security docker

OAuth Tokens: Why They Keep Getting Stolen and How to Stop It April 18, 2022 · 7 min Bearer tokens are bearer weapons. Short lifetimes, tight scopes, encrypted storage, and real monitoring are the only defenses that matter. security oauth authentication

Hardening Kubernetes: The Stuff That Actually Matters February 7, 2022 · 7 min Kubernetes defaults are built for getting things running, not for keeping attackers out. A layered hardening walkthrough covering pods, RBAC, network policies, secrets, and the control plane. kubernetes security hardening

What Log4j Actually Taught Us January 10, 2022 · 5 min Log4j wasn't a dependency problem. It was an operational readiness problem. Here's what to fix before the next one hits. security log4j dependencies

2021: The Year Everything We Ignored Caught Fire December 27, 2021 · 5 min Personal reflections on a year of growth, supply chain security wake-up calls, and ending the year neck-deep in Log4j response. year-in-review security 2021

Log4j Is on Fire. Here's What to Do Right Now. December 13, 2021 · 5 min CVE-2021-44228 is the worst vulnerability I have seen in a decade. If you run Java anywhere, stop reading the news and start inventorying. security log4j vulnerability

Zero Trust Architecture: What It Actually Looks Like August 23, 2021 · 6 min Zero trust from two perspectives: my NATO background in defense systems and work at a major telecom. The architecture patterns, the implementation path, and what most companies get wrong. zero-trust security architecture

Embracing Remote Work: Benefits, Dangers, and Overcoming Challenges June 4, 2021 · 6 min After years of building and running distributed engineering teams, here are the actual benefits, real dangers, and hard-won lessons about making remote work stick. remote-work management culture

DevSecOps in Practice: What I Actually Implement April 19, 2021 · 7 min The concrete pipeline configs, policy-as-code patterns, and runtime controls I set up to bake security into delivery. devsecops security devops

Your Software Supply Chain Is Probably a Mess January 11, 2021 · 8 min What SolarWinds taught us about supply chain security, and the concrete steps I've been implementing at enterprise scale. security supply-chain sbom

SolarWinds Got Owned. Your Build Pipeline Might Be Next. December 14, 2020 · 5 min The SolarWinds supply-chain compromise is the wake-up call every software team needed. What happened, why it matters, and what you should do right now. security supply-chain solarwinds

Your Container Image Scan Passed. Now What? November 30, 2020 · 8 min Image scanning tells you what's in the box. Runtime security tells you what the box is doing. Here's how we lock down containers at Decloud with seccomp, network policies, Falco, and paranoia earned from NATO work. containers security kubernetes

Your VPN Is a Liability. Here's What Replaces It. November 2, 2020 · 6 min VPNs trust the network. Zero trust trusts nothing. After years in NATO cyber defense and building infrastructure at Decloud, I've watched the perimeter model collapse in real time. Here's how to actually migrate. zero-trust vpn security

Your Cloud Security Is Falling Apart Right Now April 27, 2020 · 7 min Everyone's scrambling to scale cloud infrastructure overnight. I've seen what happens when security gets deprioritized under pressure — at NATO exercises, at Decloud, at the fintech startup. Here's how to not become a headline. security cloud aws

Your Incident Response Plan Is Useless Until Someone Bleeds July 15, 2019 · 7 min Most incident response plans are shelf-ware. Here's what actually matters when your infrastructure is on fire -- drawn from real breaches, NATO cyber exercises, and startup chaos. security incident-response devops

Kubernetes Ships Insecure by Default. Here's What to Do About It. April 22, 2019 · 5 min Kubernetes defaults optimize for fast adoption, not safety. A hardening checklist drawn from running clusters at the fintech startup, Dropbyke, and early Decloud work. kubernetes security infrastructure

Container Security in 2018: What Actually Changed August 20, 2018 · 3 min Eight months after my first container security post, an update on what moved at the fintech startup and in the ecosystem — PodSecurityPolicy, image signing, and the shift from scratch to real. security containers docker

Securing Microservices: What Actually Works July 23, 2018 · 7 min You split the monolith. Now every service-to-service call is an attack surface. Here's how I think about identity, authorization, encryption, and secrets management in distributed systems. security microservices authentication

Zero Trust Is Not a Product. Here's How We Actually Built It. February 19, 2018 · 5 min Perimeter security is dead. At the fintech startup, I ripped out the castle-and-moat model and replaced it with zero trust — identity-first, micro-segmented, no implicit trust anywhere. Here's what that actually looked like. security architecture zero-trust

Spectre and Meltdown Broke My Weekend January 8, 2018 · 4 min Five days after the Spectre/Meltdown disclosure, a CTO's raw take on what happened, what we patched, and why this changes the game for anyone running shared infrastructure. security infrastructure cpu

Your Containers Aren't Secure. Here's What to Actually Do About It. December 4, 2017 · 5 min Containers give you process isolation, not a security boundary. I break down how we hardened images, locked down runtimes, and segmented networks at the fintech startup — plus the stuff nobody warns you about. containers docker kubernetes

Your Startup Doesn't Need a Security Team. It Needs a Security Champion. September 18, 2017 · 5 min You can't afford a security team at a startup. But you can turn one motivated engineer per squad into a security champion — and that changes everything. security startups engineering

Stop Doing Security Reviews by Hand July 17, 2017 · 5 min Your manual security gate is a bottleneck pretending to be a process. Here's how I moved security checks into the pipeline at the fintech startup so we could ship fast without shipping stupid. security devops devsecops

WannaCry Hit. Here's What It Actually Exposed. May 15, 2017 · 4 min WannaCry wasn't sophisticated. It was a known exploit with a patch already out. The real failure was organizational, and it's one most companies are still making right now. security ransomware incident-response

GDPR Is an Engineering Problem, Not a Legal One February 27, 2017 · 6 min We're 15 months from GDPR enforcement. Here's the technical checklist I'm working through at the fintech startup — data inventory, consent, deletion, and everything else engineering actually has to build. gdpr privacy security

Securing APIs: Authentication and Authorization Patterns December 19, 2016 · 6 min APIs expose your systems to the world. Here's how to implement authentication and authorization that protects your data without frustrating legitimate users. security api authentication

Building a Security-First Engineering Culture October 3, 2016 · 5 min Security culture is not a training program or a tool purchase. It is a set of habits that leadership enforces through consistency, not speeches. security engineering culture

Security Incident Response for Startups May 23, 2016 · 9 min A practical incident response playbook for small teams: define incidents, assign owners, contain fast, investigate calmly, and recover with clear communication. security incident-response startups