Good post about getting the basics right: 7 things you can do now that will simplify SOC2 for you down the road while making your life, or at least your security posture, materially better in the immediacy.

This post discusses some dangers that arise when using HostPath PersistentVolumes, which cannot be secured by operators and can result in Pod escapes.

Are the cloud WAFs any good in blocking common web application attacks? Someone decided to find out, and the results were surprising.

In part 1 of this series, the SpecterOps team talks through traffic mirroring functions within AWS and abuse scenarios of the feature.

Post sharing the experiences and learnings gathered while embracing disaster tolerance using serverless. Key point: you should really design your cloud architectures for disaster tolerance from the start (even if it is counter intuitive to do so by lean principles).

While it's true that AWS has done a lot in the past year to improve S3 bucket security, for some reason we’re still seeing breaches occur with a regular cadence. This post proposes some additional suggestions.

This project provides a bootstrap framework for a complete offensive, defensive, reverse engineering, & security intelligence tooling in a private research lab using the AWS Cloud. It contains vulnerable systems and a toolkit of the most powerful open-source / community edition tools known to Penetration testers.

Companion blog post for the open-source project Kubernetes Event Exporter, which watches for events and exports them to many systems such as Elasticsearch, Slack or plain webhooks.

Istio version 1.5, released on March 5, continues the shift towards operational maturity. This new release combines some major architectural and API changes with increased automation and tooling.

Some new rules for detecting important events (like disabling CloudTrail, or active usage of the root account) in the AWS Cloud.

AWS released Bottlerocket, a new Linux-based open source operating system designed and optimized specifically for use as a container host.

Bottlerocket also has a TUF (The Update Framework) implementation!

5 key considerations financial institutions should focus on to help streamline the whitelisting of cloud services for their most confidential data.

You can now use AWS KMS keys to provide envelope encryption of Kubernetes secrets stored in EKS.

A demo showing how Vault can use Azure Active Directory authentication to allow pods running on AKS to access secrets stored in Vault.