Writing

Essays, technical briefings, and case studies. Opinionated, specific, and written for practitioners.

Briefing · Apr 5, 2026 · 3 min read

Hardening GitHub Actions OIDC trust policies on AWS

A practical walkthrough of the subject-condition patterns that actually scope OIDC trust correctly — and the four mistakes we find in nearly every audit.

awsci-cdiamoidc
Briefing · Mar 12, 2026 · 4 min read

The SOC 2 evidence tax: why your control evidence is eating your engineering calendar

Most SOC 2 programs fail at collection, not at design. A look at why evidence gathering takes three times longer than it should — and the pattern we use to cut it down.

soc-2complianceaudit-prep
Briefing · Feb 4, 2026 · 4 min read

Reading CloudTrail like an incident responder, not a compliance officer

The queries that surface lateral movement are nothing like the queries that satisfy a SOC 2 audit. A short guide to what to look for when the logs actually matter.

awsdetectioncloudtrailincident-response
Briefing · Dec 15, 2025 · 4 min read

Three cloud cost anti-patterns that survive every FinOps review

The line items that keep surviving cost-optimization passes, why they hide in plain sight, and what to change in the next billing cycle.

finopsawscost-optimization
Briefing · Oct 22, 2025 · 3 min read

IMDSv2 is not a migration project

The instance metadata service is still the most common pivot point in cloud breaches. Treating IMDSv2 as an account-level default — not a per-workload migration — closes the attack surface in an afternoon.

awsec2iamhardening
Briefing · Aug 7, 2025 · 4 min read

Why your ISO 27001 Statement of Applicability keeps drifting

The SoA is supposed to be the fingerprint of your control environment. In most companies it's a snapshot from a year ago. A look at why, and the mechanism that keeps it honest.

iso-27001compliancegovernance
Briefing · Jun 18, 2025 · 4 min read

The backup you haven't restored isn't a backup

RTO and RPO on paper are not the same as RTO and RPO in an incident. A short guide to the restore rehearsal most teams skip, and why skipping it reliably produces the worst kind of outage.

backupdisaster-recoveryresilience
Briefing · May 9, 2025 · 4 min read

Reading a pentest report your board will actually act on

Pentest reports are written for engineers and read by executives. A short guide to what separates a report that drives remediation from one that gets filed and forgotten.

vaptpentestreportinggovernance
Briefing · Apr 14, 2025 · 5 min read

The observability bill problem nobody wants to solve

A modern observability stack routinely costs more than the infrastructure it observes. A look at why, and what to cut first without losing the signal that matters.

observabilityfinopsmonitoring