Platform security

Ten-layer defense model. API server, auth, RBAC, pod security, network policies, secrets, image security, supply chain, runtime detection, upgrade cadence.

AWS / Azure / GCP IR. Pre-incident prep, six-phase process, per-provider playbooks, common 2026 attack patterns.

Policy-as-Code enforcement via Pod Security Standards, Gatekeeper, and Kyverno.

Common RBAC patterns that enable privilege escalation to cluster-admin.

Wiz, Orca, Prisma, Lacework. Vendor-by-vendor based on production deployments.

The cloud vuln that built a career for every cloud pentester. IMDSv1 vs IMDSv2.

The two Cognitos problem and the privilege escalation vectors it produces.

Port 5000 is a container shopping mall. What leaks and how to close it.

The 8 configuration gaps we find in every M365 Entra audit.

The privilege boundary every AD audit must check. Domain admin not on user endpoints.

What actually changed from 2.0 to 2.1 and how to move. PKCE, strict redirect, no implicit grant.

Multi-year ZTA roadmap. Five-pillar maturity model. Vendor shootout. Seven anti-patterns.

Past the buzzword. NIST SP 800-207 deployment. Vendor benchmarking.

Real-world ZTA playbook for companies with no corporate network.

Your Auth0 tenant runs code you have not audited. Identity platform code review.

The field Clerk explicitly labeled "unsafe" that developers still use for roles.

Why number matching is not enough anymore. AitM proxy bypass techniques.

What Scattered Spider is doing against Okta tenants in 2026.

OWASP API Top 10 walkthrough. Authentication shootout. Rate limiting patterns. GraphQL, gRPC, event-driven.

Kong, Apigee, AWS API Gateway. Strongest or weakest layer, no neutral.

The AppSec tool shootout. What actually catches bugs in modern codebases.

Tool integration patterns. Security Champions. 90-day launch plan. Organizational patterns.

Stripe, Twilio, SendGrid webhook verification. The forged-webhook breach pattern.

Auth rule patterns, RLS enforcement, production hardening.

The multi-million dollar guest-user-exposure pattern.

Vault architecture shootout. Rotation cadence. Dynamic secrets. Incident response for exposed secrets.

HashiCorp Vault agent injector patterns and the attacks against them.

Kubernetes Secrets are not secret. Proper secret management for Helm deployments.

The file nobody should be able to read. Terraform state is a password dump.

Why GitHub Actions is the weakest link in most CI/CD pipelines.

The email security stack that still works. BIMI. MTA-STS. DMARC p=reject.

DoH killed network DNS visibility. Three workable 2026 strategies.

Constrained Language Mode, script block logging, the configuration Windows shops need.

Beyond MDM defaults. FileVault escrow, Gatekeeper, XProtect, firewall configuration.

The backup strategy that actually survives ransomware in 2026.

Finally worth deploying at scale. When, why, which vendor.

Post-quantum default, legacy algorithm removal, agent forwarding changes.

When Row-Level Security is not enough. service_role key leaks and realtime channels.

Anonymous signup + open Firestore rules = full database access.

Self-hosted BaaS that ships with permissive defaults.

New Firebase anti-pattern. Admin API exposed, permissive collection rules.

The Public role over-permission trap.

When the CMS reads production database tables.

Shodan indexes thousands of unauthenticated Elasticsearch clusters every week.

Why 2026 still finds Redis instances with no requirepass.

48,000 exposed MongoDB instances as of this week.

S3-compatible is not S3-secure.

OIDC discovery endpoints reveal more than you think.

Anonymous read by default. The first link in production compromise.

The internal/info/ endpoint that hands you the database.

The default admin password is the pod name. Nobody changes it.

admin:admin still works on one in five internet-facing Grafana instances.