Practical perspectives on building security teams, automating compliance, solving architectural challenges, and navigating the organizational dynamics that make security programs succeed or fail.
tl;dr — TrailTool is in early access at trailtool.io. It pre-aggregates CloudTrail into an access graph so AI agents can answer security questions without drowning in raw logs. Built for IAM least privilege workflows, incident investigations, and anything that needs...
Read more →GRC tools like Vanta cost $12K+/year and lock your compliance docs in proprietary systems. GraphGRC v2 gives you SOC 2 documentation in GitHub - pre-written controls, policies, and processes in Markdown with automated validation. Free and open source.
Read more →Dependabot throws security alerts but sometimes can't create pull requests. Here's a GitHub Action that automatically sends failed alerts to Copilot for resolution.
Read more →Raccoons are both advanced and persistent threats. After one attacked my chihuahua Jolene, I declared war on my backyard invaders. Through ultrasonic deterrents, motion-activated sprinklers, and wacky inflatable air dancers, I learned critical security lessons - including that removing attacker...
Read more →Data retention covers two different problems - preservation (minimum time you must keep archival data) and deletion (maximum time you can keep personal data). They require opposite technical approaches - one prevents deletion, the other enforces it. The elegant solutions?...
Read more →Your new hire sits through generic security training, clicks through a 47-page policy, and gets random access over time. Three months later they ping for production access. The policies? Nobody's looked at them since day one. There's a better way....
Read more →Modern software companies use a lot of software services. Traditional security teams address third-party risk through certifications and questionnaires, but there's an opportunity to actually reduce risk by collaborating with implementation teams on secure configuration decisions.
Read more →A framework for helping security engineers choose high-impact work using three criteria - business goals, implicit interest, and personal growth.
Read more →Running EKS in FedRAMP environments requires careful implementation across multiple security domains
Read more →Learn how software vendors can serve FedRAMP-authorized cloud service providers without going through the full authorization process.
Read more →Learn how to leverage AWS Bedrock to create a FedRAMP-compliant AI assistant for your System Security Plan without exposing sensitive information.
Read more →