Writing.
Essays, technical briefings, and case studies. Opinionated, specific, and written for practitioners.
-
Briefing · Apr 5, 2026 · 3 min read
Hardening GitHub Actions OIDC trust policies on AWS
A practical walkthrough of the subject-condition patterns that actually scope OIDC trust correctly — and the four mistakes we find in nearly every audit.
- aws
- ci-cd
- iam
- oidc
-
Briefing · Mar 12, 2026 · 4 min read
The SOC 2 evidence tax: why your control evidence is eating your engineering calendar
Most SOC 2 programs fail at collection, not at design. A look at why evidence gathering takes three times longer than it should — and the pattern we use to cut it down.
- soc-2
- compliance
- audit-prep
-
Briefing · Feb 4, 2026 · 4 min read
Reading CloudTrail like an incident responder, not a compliance officer
The queries that surface lateral movement are nothing like the queries that satisfy a SOC 2 audit. A short guide to what to look for when the logs actually matter.
- aws
- detection
- cloudtrail
- incident-response
-
Briefing · Dec 15, 2025 · 4 min read
Three cloud cost anti-patterns that survive every FinOps review
The line items that keep surviving cost-optimization passes, why they hide in plain sight, and what to change in the next billing cycle.
- finops
- aws
- cost-optimization
-
Briefing · Oct 22, 2025 · 3 min read
IMDSv2 is not a migration project
The instance metadata service is still the most common pivot point in cloud breaches. Treating IMDSv2 as an account-level default — not a per-workload migration — closes the attack surface in an afternoon.
- aws
- ec2
- iam
- hardening
-
Briefing · Aug 7, 2025 · 4 min read
Why your ISO 27001 Statement of Applicability keeps drifting
The SoA is supposed to be the fingerprint of your control environment. In most companies it’s a snapshot from a year ago. A look at why, and the mechanism that keeps it honest.
- iso-27001
- compliance
- governance
-
Briefing · Jun 18, 2025 · 4 min read
The backup you haven’t restored isn’t a backup
RTO and RPO on paper are not the same as RTO and RPO in an incident. A short guide to the restore rehearsal most teams skip, and why skipping it reliably produces the worst kind of outage.
- backup
- disaster-recovery
- resilience
-
Briefing · May 9, 2025 · 4 min read
Reading a pentest report your board will actually act on
Pentest reports are written for engineers and read by executives. A short guide to what separates a report that drives remediation from one that gets filed and forgotten.
- pentest
- reporting
- governance
-
Briefing · Apr 14, 2025 · 5 min read
The observability bill problem nobody wants to solve
A modern observability stack routinely costs more than the infrastructure it observes. A look at why, and what to cut first without losing the signal that matters.
- observability
- finops
- monitoring
Want to see if these patterns apply to you?
Run a free scan to see your environment against the patterns we write about. Or talk to us about a manual engagement.