{ "site": "systemshardening.com", "description": "Hardening real systems in production, for engineers who actually run them.", "generated": "2026-05-27T09:08:40.620Z", "total_articles": 894, "categories": [ { "slug": "cross-cutting", "name": "Cross-Cutting Guides", "count": 122 }, { "slug": "kubernetes", "name": "Kubernetes / Platform", "count": 111 }, { "slug": "linux", "name": "Linux / OS Hardening", "count": 109 }, { "slug": "network", "name": "Network & API Security", "count": 111 }, { "slug": "cicd", "name": "CI/CD & Supply Chain", "count": 116 }, { "slug": "ai-landscape", "name": "AI & Security Landscape", "count": 107 }, { "slug": "observability", "name": "Observability & Detection", "count": 106 }, { "slug": "wasm", "name": "WebAssembly", "count": 112 } ], "articles": [ { "title": "Preventing Secret Exfiltration via AI Coding Tool Context Windows", "url": "/articles/ai-landscape/ai-coding-tool-secret-exfiltration/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-coding-tool-secret-exfiltration/", "category": "ai-landscape", "tags": ["ai-coding","secrets","exfiltration","copilot","cursor","claude-code","llm","context-window"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-27T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "GitHub Actions pull_request_target Injection: The Secrets-Leaking Trigger", "url": "/articles/cicd/github-actions-pull-request-target-injection/", "full_url": "https://www.systemshardening.com/articles/cicd/github-actions-pull-request-target-injection/", "category": "cicd", "tags": ["github-actions","pull-request-target","supply-chain","secrets","injection","cicd-security"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-27T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "CDN and Third-Party Script Supply Chain Security: Lessons from polyfill.io", "url": "/articles/cross-cutting/cdn-third-party-script-supply-chain/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/cdn-third-party-script-supply-chain/", "category": "cross-cutting", "tags": ["cdn","supply-chain","sri","csp","polyfill","javascript","third-party","subresource-integrity"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-27T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Argo Workflows Template Injection via User-Controlled Parameters", "url": "/articles/kubernetes/argo-workflows-template-injection/", "full_url": "https://www.systemshardening.com/articles/kubernetes/argo-workflows-template-injection/", "category": "kubernetes", "tags": ["argo-workflows","template-injection","kubernetes","rbac","workflow","expression","security"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Hardening Against needrestart LPE and the /proc/environ Injection Pattern", "url": "/articles/linux/linux-needrestart-lpe-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-needrestart-lpe-hardening/", "category": "linux", "tags": ["needrestart","lpe","privilege-escalation","proc","environ","hardening","cve-2024-48990"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-27T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","sre"] }, { "title": "Hardening Network Edge Devices Against Nation-State CVE Exploitation", "url": "/articles/network/network-edge-device-vpn-cve-hardening/", "full_url": "https://www.systemshardening.com/articles/network/network-edge-device-vpn-cve-hardening/", "category": "network", "tags": ["edge-devices","vpn","ivanti","palo-alto","fortinet","cve","nation-state","hardening"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-27T00:00:00.000Z", "personas": ["network-engineer","security-engineer","sre"] }, { "title": "Prometheus Operator RBAC: Cluster-Wide Secret Access via ServiceMonitor", "url": "/articles/observability/prometheus-operator-rbac-privilege-escalation/", "full_url": "https://www.systemshardening.com/articles/observability/prometheus-operator-rbac-privilege-escalation/", "category": "observability", "tags": ["prometheus","operator","rbac","privilege-escalation","kubernetes","secrets","monitoring"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-27T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Security Implications of Asyncify-Transformed Wasm Modules", "url": "/articles/wasm/wasm-asyncify-security-implications/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-asyncify-security-implications/", "category": "wasm", "tags": ["wasm","asyncify","emscripten","coroutines","security","control-flow","attack-surface"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-27T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "AI-Accelerated CVE Discovery and What It Means for Your Patch Lag", "url": "/articles/ai-landscape/ai-accelerated-cve-discovery-response/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-accelerated-cve-discovery-response/", "category": "ai-landscape", "tags": ["cve","ai","vulnerability-discovery","fuzzing","patch-velocity","llm","threat-intelligence"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-16T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","ml-engineer"] }, { "title": "Managing CVE Remediation Pipelines at Scale", "url": "/articles/cicd/cve-remediation-pipeline-at-volume/", "full_url": "https://www.systemshardening.com/articles/cicd/cve-remediation-pipeline-at-volume/", "category": "cicd", "tags": ["cve","renovate","dependabot","remediation","epss","auto-merge","patch-management","cicd"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-16T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "CVE Program Resilience: Building Beyond NVD Dependency", "url": "/articles/cross-cutting/cve-program-resilience-nvd-alternatives/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/cve-program-resilience-nvd-alternatives/", "category": "cross-cutting", "tags": ["cve","nvd","osv","vulnerability-management","mitre","resilience","ghsa","threat-intelligence"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-16T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "EPSS-Driven CVE Patch Prioritization for Kubernetes Workloads", "url": "/articles/kubernetes/kubernetes-epss-driven-patch-prioritization/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-epss-driven-patch-prioritization/", "category": "kubernetes", "tags": ["kubernetes","cve","epss","cvss","patch-prioritization","trivy","grype","vulnerability-management"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-16T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Reducing Your Applicable Linux Kernel CVE Count via Attack Surface Reduction", "url": "/articles/linux/linux-kernel-cve-attack-surface-reduction/", "full_url": "https://www.systemshardening.com/articles/linux/linux-kernel-cve-attack-surface-reduction/", "category": "linux", "tags": ["kernel","cve","attack-surface","modules","seccomp","hardening","patch-management"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-16T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","sre"] }, { "title": "Compensating for NVD Enrichment Lag in Network Vulnerability Scanning", "url": "/articles/network/nvd-enrichment-lag-scanner-compensation/", "full_url": "https://www.systemshardening.com/articles/network/nvd-enrichment-lag-scanner-compensation/", "category": "network", "tags": ["nvd","cve","vulnerability-scanning","osv","cvss","scanner","enrichment","nist"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-16T00:00:00.000Z", "personas": ["security-engineer","sre","network-engineer"] }, { "title": "Integrating CISA KEV into Your SIEM for Real-Time Exploitation Alerts", "url": "/articles/observability/cisa-kev-alerting-integration/", "full_url": "https://www.systemshardening.com/articles/observability/cisa-kev-alerting-integration/", "category": "observability", "tags": ["cisa","kev","siem","cve","alerting","threat-intelligence","vulnerability-management"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-16T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "Tracking CVEs Across the Wasm Runtime Supply Chain", "url": "/articles/wasm/wasm-runtime-cve-tracking-supply-chain/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-runtime-cve-tracking-supply-chain/", "category": "wasm", "tags": ["wasm","wasmtime","wasmedge","wazero","cve","supply-chain","runtime","patch-management"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-16T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","systems-engineer"] }, { "title": "Hardening NGINX as a Reverse Proxy for AI Inference Endpoints", "url": "/articles/ai-landscape/nginx-ai-inference-proxy-hardening/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/nginx-ai-inference-proxy-hardening/", "category": "ai-landscape", "tags": ["nginx","inference","llm","reverse-proxy","rate-limiting","vllm","api-gateway","hardening"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-15T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "NGINX Configuration Security Scanning in CI", "url": "/articles/cicd/nginx-config-security-ci-pipeline/", "full_url": "https://www.systemshardening.com/articles/cicd/nginx-config-security-ci-pipeline/", "category": "cicd", "tags": ["nginx","cicd","gixy","conftest","opa","security-scanning","configuration","pipeline"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-15T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "NGINX CVE Patch Management Across Mixed Bare Metal, VM, and Kubernetes Fleets", "url": "/articles/cross-cutting/nginx-fleet-patch-management/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/nginx-fleet-patch-management/", "category": "cross-cutting", "tags": ["nginx","patch-management","fleet","cve","ansible","kubernetes","bare-metal","vulnerability-management"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-15T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "Automated ingress-nginx Version Management and CVE Response", "url": "/articles/kubernetes/nginx-ingress-controller-version-pinning/", "full_url": "https://www.systemshardening.com/articles/kubernetes/nginx-ingress-controller-version-pinning/", "category": "kubernetes", "tags": ["ingress-nginx","helm","renovate","cve-patching","kubernetes","ingress","version-management"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-15T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Limiting NGINX Worker Process Blast Radius with OS-Level Controls", "url": "/articles/linux/linux-nginx-worker-privilege-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-nginx-worker-privilege-hardening/", "category": "linux", "tags": ["nginx","seccomp","namespaces","privilege","worker","hardening","cve-mitigation"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-15T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","sre"] }, { "title": "CVE-2025-23419: mTLS Session Resumption Bypass in NGINX", "url": "/articles/network/nginx-mtls-session-resumption-cve/", "full_url": "https://www.systemshardening.com/articles/network/nginx-mtls-session-resumption-cve/", "category": "network", "tags": ["nginx","mtls","tls","session-resumption","cve-2025-23419","certificates","hardening"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-15T00:00:00.000Z", "personas": ["security-engineer","network-engineer","systems-engineer"] }, { "title": "Detecting NGINX CVE Exploitation via Logs and Runtime Signatures", "url": "/articles/observability/nginx-cve-exploitation-detection/", "full_url": "https://www.systemshardening.com/articles/observability/nginx-cve-exploitation-detection/", "category": "observability", "tags": ["nginx","cve","detection","suricata","falco","exploitation","logging","siem"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-15T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "NGINX NJS Security Hardening vs. Wasm Filter Isolation", "url": "/articles/wasm/nginx-njs-security-hardening/", "full_url": "https://www.systemshardening.com/articles/wasm/nginx-njs-security-hardening/", "category": "wasm", "tags": ["nginx","njs","wasm","javascript","sandboxing","isolation","filters","security"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-15T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","systems-engineer"] }, { "title": "Securing MCP Elicitation Against Social Engineering and Prompt Injection", "url": "/articles/ai-landscape/mcp-elicitation-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/mcp-elicitation-security/", "category": "ai-landscape", "tags": ["mcp","elicitation","social-engineering","prompt-injection","user-consent","llm-agents"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-14T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "Securing GitHub Copilot Workspace Autonomous PR Generation", "url": "/articles/cicd/github-copilot-workspace-security/", "full_url": "https://www.systemshardening.com/articles/cicd/github-copilot-workspace-security/", "category": "cicd", "tags": ["github","copilot","ai","autonomous-agents","supply-chain","permissions","code-review"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-14T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Meeting Cyber Insurance Technical Requirements: A Control Implementation Guide", "url": "/articles/cross-cutting/cyber-insurance-technical-requirements/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/cyber-insurance-technical-requirements/", "category": "cross-cutting", "tags": ["cyber-insurance","compliance","mfa","edr","backup","incident-response","controls"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-14T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Securing Kubernetes Sidecar Injection Against Rogue Container Injection", "url": "/articles/kubernetes/kubernetes-sidecar-injection-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-sidecar-injection-security/", "category": "kubernetes", "tags": ["kubernetes","sidecar","mutating-webhook","istio","dapr","supply-chain","admission-control"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-14T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Hardening Linux AF_VSOCK Against VM-to-Host Escape", "url": "/articles/linux/linux-vsock-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-vsock-security/", "category": "linux", "tags": ["vsock","virtualization","vm-escape","kernel","seccomp","cve","hardening"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-14T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Hardening RADIUS Against the Blast RADIUS Attack (CVE-2024-3596)", "url": "/articles/network/radius-blast-radius-hardening/", "full_url": "https://www.systemshardening.com/articles/network/radius-blast-radius-hardening/", "category": "network", "tags": ["radius","authentication","cve-2024-3596","radsec","tls","network-access","802.1x"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-14T00:00:00.000Z", "personas": ["security-engineer","systems-engineer","sre"] }, { "title": "Defending Prometheus Against High-Cardinality Label Injection and DoS", "url": "/articles/observability/prometheus-cardinality-dos-defence/", "full_url": "https://www.systemshardening.com/articles/observability/prometheus-cardinality-dos-defence/", "category": "observability", "tags": ["prometheus","cardinality","dos","remote-write","metrics","hardening","monitoring"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-14T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "Security Implications of Wasm Shared-Everything Threads", "url": "/articles/wasm/wasm-shared-everything-threads-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-shared-everything-threads-security/", "category": "wasm", "tags": ["wasm","threads","shared-memory","isolation","gc","concurrency","security"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-14T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","systems-engineer"] }, { "title": "Detecting Abuse of LLM API Keys and Inference Endpoints", "url": "/articles/ai-landscape/llm-api-abuse-detection/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-api-abuse-detection/", "category": "ai-landscape", "tags": ["llm","api-security","abuse-detection","credential-security","cost-monitoring","anomaly-detection"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-13T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "LLM Output Injection: Securing Downstream Systems from AI-Generated Content", "url": "/articles/ai-landscape/llm-output-injection/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-output-injection/", "category": "ai-landscape", "tags": ["llm","injection","output-security","sql-injection","code-execution","ai-agents","validation"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-13T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "Gating AI-Generated Security Fixes Before Merge", "url": "/articles/cicd/ai-autofix-security-review/", "full_url": "https://www.systemshardening.com/articles/cicd/ai-autofix-security-review/", "category": "cicd", "tags": ["github-actions","ai","autofix","codeql","sast","supply-chain","code-review"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-13T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "GitHub Actions Environment Protection Rules and Secret Scoping", "url": "/articles/cicd/github-actions-environment-protection/", "full_url": "https://www.systemshardening.com/articles/cicd/github-actions-environment-protection/", "category": "cicd", "tags": ["github-actions","environments","secrets","deployment-protection","supply-chain","oidc"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-13T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Safe AI-Driven Incident Response Automation", "url": "/articles/cross-cutting/ai-incident-response-automation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/ai-incident-response-automation/", "category": "cross-cutting", "tags": ["incident-response","ai","automation","soar","blast-radius","human-in-the-loop"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-13T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "GitHub Enterprise Organisation-Level Security Hardening", "url": "/articles/cross-cutting/github-enterprise-org-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/github-enterprise-org-hardening/", "category": "cross-cutting", "tags": ["github","enterprise","sso","audit-log","supply-chain","governance","access-control"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-13T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Security Validation for AI-Generated Kubernetes Manifests", "url": "/articles/kubernetes/kubernetes-ai-generated-manifest-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-ai-generated-manifest-security/", "category": "kubernetes", "tags": ["kubernetes","ai","manifests","security-context","rbac","kyverno","polaris","hardening"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-13T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Hardening the Kubernetes Secrets Store CSI Driver", "url": "/articles/kubernetes/kubernetes-secret-store-csi-driver-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-secret-store-csi-driver-security/", "category": "kubernetes", "tags": ["kubernetes","secrets","csi-driver","vault","aws","azure","gcp","rbac"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-13T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Using AI Tools to Audit Linux Kernel Configuration for Hardening Gaps", "url": "/articles/linux/linux-ai-kernel-config-audit/", "full_url": "https://www.systemshardening.com/articles/linux/linux-ai-kernel-config-audit/", "category": "linux", "tags": ["kernel","hardening","ai","configuration","kconfig","audit","baseline"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-13T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","sre"] }, { "title": "Hardening Linux Against Netlink Socket Privilege Escalation", "url": "/articles/linux/linux-netlink-socket-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-netlink-socket-hardening/", "category": "linux", "tags": ["netlink","kernel","privilege-escalation","seccomp","namespaces","lpe","hardening"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-13T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Defending Against AI-Enhanced Adaptive DDoS Attacks", "url": "/articles/network/ai-enhanced-ddos-detection-response/", "full_url": "https://www.systemshardening.com/articles/network/ai-enhanced-ddos-detection-response/", "category": "network", "tags": ["ddos","ai","traffic-analysis","anomaly-detection","ml","scrubbing","defence"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-13T00:00:00.000Z", "personas": ["security-engineer","sre","systems-engineer"] }, { "title": "Hardening Linux TCP/IP Stacks Against Passive OS Fingerprinting", "url": "/articles/network/passive-os-fingerprinting-hardening/", "full_url": "https://www.systemshardening.com/articles/network/passive-os-fingerprinting-hardening/", "category": "network", "tags": ["fingerprinting","tcp","os-detection","reconnaissance","sysctl","network-hardening","privacy"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-13T00:00:00.000Z", "personas": ["security-engineer","systems-engineer","sre"] }, { "title": "Safe AI-Assisted Security Alert Triage and Escalation", "url": "/articles/observability/ai-alert-triage-escalation/", "full_url": "https://www.systemshardening.com/articles/observability/ai-alert-triage-escalation/", "category": "observability", "tags": ["ai","alert-triage","siem","incident-response","llm","security-operations","detection"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-13T00:00:00.000Z", "personas": ["security-engineer","sre"] }, { "title": "Kubernetes Network Flow Security Monitoring with Cilium Hubble and Retina", "url": "/articles/observability/kubernetes-network-flow-security-monitoring/", "full_url": "https://www.systemshardening.com/articles/observability/kubernetes-network-flow-security-monitoring/", "category": "observability", "tags": ["kubernetes","network-flow","cilium","hubble","ebpf","lateral-movement","detection"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-13T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "Tamper-Evident AI Decision Logs Using Wasm Runtime Attestation", "url": "/articles/wasm/wasm-ai-model-runtime-attestation/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-ai-model-runtime-attestation/", "category": "wasm", "tags": ["wasm","attestation","ai","audit-log","compliance","deterministic-execution","signing"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-13T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "Safe Module Termination with Wasmtime Epoch-Based Interruption", "url": "/articles/wasm/wasmtime-epoch-interruption-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasmtime-epoch-interruption-security/", "category": "wasm", "tags": ["wasm","wasmtime","epoch","interruption","resource-limits","timeout","dos-prevention"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-13T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","systems-engineer"] }, { "title": "AI-Assisted CVE Patch Prioritisation: EPSS, Reachability, and Business Context", "url": "/articles/ai-landscape/ai-patch-prioritization/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-patch-prioritization/", "category": "ai-landscape", "tags": ["vulnerability-management","ai","epss","cvss","prioritization","patching","llm"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-12T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Securing Reasoning Model Scratchpad Output in Production AI Applications", "url": "/articles/ai-landscape/ai-reasoning-model-scratchpad-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-reasoning-model-scratchpad-security/", "category": "ai-landscape", "tags": ["llm","reasoning-models","chain-of-thought","output-security","claude","openai","privacy"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-12T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "Security Validation for AI-Generated CI/CD Pipeline Configurations", "url": "/articles/cicd/ai-generated-cicd-config-security/", "full_url": "https://www.systemshardening.com/articles/cicd/ai-generated-cicd-config-security/", "category": "cicd", "tags": ["github-actions","gitlab-ci","ai","pipeline-security","supply-chain","permissions","secret-scanning"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-12T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Hardening Gitea and Forgejo Self-Hosted Git Instances", "url": "/articles/cicd/gitea-forgejo-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/gitea-forgejo-hardening/", "category": "cicd", "tags": ["gitea","forgejo","git","self-hosted","supply-chain","hardening","authentication"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-12T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "AI Security Posture Management: Extending CSPM to ML Infrastructure", "url": "/articles/cross-cutting/ai-security-posture-management/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/ai-security-posture-management/", "category": "cross-cutting", "tags": ["ai","cspm","security-posture","ml-security","model-serving","gpu","compliance"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-12T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","ml-engineer"] }, { "title": "Zero-Day Response Playbook: From Public Disclosure to Patched Production", "url": "/articles/cross-cutting/zero-day-response-playbook/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/zero-day-response-playbook/", "category": "cross-cutting", "tags": ["vulnerability-management","incident-response","zero-day","patching","risk-management","hardening"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-12T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer","systems-engineer"] }, { "title": "Isolating AI Training Batch Jobs in Kubernetes", "url": "/articles/kubernetes/kubernetes-ai-batch-job-isolation/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-ai-batch-job-isolation/", "category": "kubernetes", "tags": ["kubernetes","ai","batch-jobs","gpu","isolation","network-policy","rbac","training"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-12T00:00:00.000Z", "personas": ["platform-engineer","ml-engineer","security-engineer"] }, { "title": "Kubernetes Subresource RBAC Escalation: Restricting exec, portforward, and proxy", "url": "/articles/kubernetes/kubernetes-subresource-rbac-escalation/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-subresource-rbac-escalation/", "category": "kubernetes", "tags": ["kubernetes","rbac","privilege-escalation","exec","portforward","nodes","least-privilege"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-12T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Hardening Linux Against Abstract Unix Socket Privilege Escalation", "url": "/articles/linux/linux-abstract-unix-socket-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-abstract-unix-socket-security/", "category": "linux", "tags": ["unix-sockets","containers","privilege-escalation","apparmor","selinux","namespaces","hardening"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-12T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Kernel Hardening for AI-Accelerated Exploit Development", "url": "/articles/linux/linux-ai-accelerated-exploit-development/", "full_url": "https://www.systemshardening.com/articles/linux/linux-ai-accelerated-exploit-development/", "category": "linux", "tags": ["kernel","exploit-development","ai","hardening","patch-velocity","mitigations","lpe"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-12T00:00:00.000Z", "personas": ["security-engineer","systems-engineer","sre"] }, { "title": "Network-Layer Defences Against AI-Powered Phishing Campaigns", "url": "/articles/network/ai-powered-phishing-network-defence/", "full_url": "https://www.systemshardening.com/articles/network/ai-powered-phishing-network-defence/", "category": "network", "tags": ["phishing","ai","dns","email-security","egress-control","browser-isolation","social-engineering"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-12T00:00:00.000Z", "personas": ["security-engineer","sre","systems-engineer"] }, { "title": "Hardening SSH Against the Terrapin Prefix Truncation Attack (CVE-2023-48795)", "url": "/articles/network/ssh-terrapin-attack-hardening/", "full_url": "https://www.systemshardening.com/articles/network/ssh-terrapin-attack-hardening/", "category": "network", "tags": ["ssh","openssh","terrapin","cve-2023-48795","mitm","cryptography","hardening"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-12T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","sre"] }, { "title": "AI-Assisted Threat Hunting: LLMs in the Security Operations Workflow", "url": "/articles/observability/ai-assisted-threat-hunting/", "full_url": "https://www.systemshardening.com/articles/observability/ai-assisted-threat-hunting/", "category": "observability", "tags": ["threat-hunting","ai","llm","siem","detection","investigation","security-operations"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-12T00:00:00.000Z", "personas": ["security-engineer","sre"] }, { "title": "Detecting and Preventing Cloud Audit Log Tampering", "url": "/articles/observability/cloud-audit-log-tampering-detection/", "full_url": "https://www.systemshardening.com/articles/observability/cloud-audit-log-tampering-detection/", "category": "observability", "tags": ["cloudtrail","gcp","azure","audit-logging","tampering","iam","incident-response","detection"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-12T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "Sandboxing LLM Agent Tool Plugins with WebAssembly", "url": "/articles/wasm/wasm-ai-plugin-sandboxing/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-ai-plugin-sandboxing/", "category": "wasm", "tags": ["wasm","ai-agents","plugins","sandboxing","llm","extism","wasmtime","tool-use"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-12T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "Isolating Sensitive Data Using Wasm Multi-Memory", "url": "/articles/wasm/wasm-multi-memory-isolation/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-multi-memory-isolation/", "category": "wasm", "tags": ["wasm","multi-memory","isolation","cryptography","memory-safety","wasmtime","linear-memory"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-12T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","systems-engineer"] }, { "title": "Preventing Data Exfiltration via LLM Context Window Injection", "url": "/articles/ai-landscape/ai-context-window-data-exfiltration/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-context-window-data-exfiltration/", "category": "ai-landscape", "tags": ["llm","prompt-injection","data-exfiltration","context-window","rag","ai-security","pii"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-11T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "Defending Against Fake HuggingFace Repository Attacks: Model Artifact Verification", "url": "/articles/ai-landscape/huggingface-fake-repo-attack-defence/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/huggingface-fake-repo-attack-defence/", "category": "ai-landscape", "tags": ["huggingface","supply-chain","model-security","ai-security","typosquatting","artifact-verification"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-11T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","ai-security"] }, { "title": "Azure DevOps API Exposure Hardening: Securing Against Unauthenticated Information Disclosure", "url": "/articles/cicd/azure-devops-api-exposure-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/azure-devops-api-exposure-hardening/", "category": "cicd", "tags": ["azure-devops","api-security","information-disclosure","cve-2026-42826","cicd-security","access-control"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-11T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "Enforcing GitHub Artifact Attestations for SLSA Build Provenance", "url": "/articles/cicd/github-artifact-attestation-enforcement/", "full_url": "https://www.systemshardening.com/articles/cicd/github-artifact-attestation-enforcement/", "category": "cicd", "tags": ["github-actions","slsa","provenance","attestation","supply-chain","sigstore","container-signing"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-11T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "NIS2 Directive Technical Implementation: Incident Reporting, Supply Chain, and Vulnerability Management", "url": "/articles/cross-cutting/nis2-directive-technical-compliance/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/nis2-directive-technical-compliance/", "category": "cross-cutting", "tags": ["nis2","compliance","incident-response","supply-chain","vulnerability-management","eu-regulation","governance"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-11T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre","systems-engineer"] }, { "title": "PAM Module Integrity Verification: Detecting Backdoors Like PamDOORa", "url": "/articles/cross-cutting/pam-module-integrity-verification/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/pam-module-integrity-verification/", "category": "cross-cutting", "tags": ["pam","integrity-verification","ima-evm","backdoor-detection","post-exploitation","file-integrity-monitoring"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-11T00:00:00.000Z", "personas": ["security-engineer","it-operations","linux-admin"] }, { "title": "Securing the Kubernetes API Aggregation Layer Against Privilege Escalation", "url": "/articles/kubernetes/kubernetes-apiserver-aggregation-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-apiserver-aggregation-security/", "category": "kubernetes", "tags": ["kubernetes","api-server","rbac","privilege-escalation","mtls","aggregation","hardening"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-05-11T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Kubernetes Node Kernel Patch Velocity: Draining and Replacing Nodes at Speed After a Critical CVE", "url": "/articles/kubernetes/kubernetes-node-kernel-patch-velocity/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-node-kernel-patch-velocity/", "category": "kubernetes", "tags": ["kubernetes","kernel-security","node-management","patch-management","machine-deployments","cve-response"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-11T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Hardening Linux Against n_gsm TTY GSM Multiplexer Privilege Escalation", "url": "/articles/linux/linux-gsm-tty-exploit-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-gsm-tty-exploit-hardening/", "category": "linux", "tags": ["kernel","privilege-escalation","tty","lpe","hardening","lsm","modules"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-11T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","sre"] }, { "title": "Dirty Frag: Exploiting the xfrm ESP Page-Cache Write Primitive (CVE-2026-43284/43500)", "url": "/articles/linux/xfrm-kernel-lpe-dirty-frag/", "full_url": "https://www.systemshardening.com/articles/linux/xfrm-kernel-lpe-dirty-frag/", "category": "linux", "tags": ["kernel-security","privilege-escalation","xfrm","ipsec","cve-2026-43284","exploit-mitigations"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-11T00:00:00.000Z", "personas": ["security-engineer","kernel-developer","sre"] }, { "title": "DNSSEC Key Rollover Operational Security: Lessons from the .de TLD Three-Hour Outage", "url": "/articles/network/dnssec-key-rollover-operational-security/", "full_url": "https://www.systemshardening.com/articles/network/dnssec-key-rollover-operational-security/", "category": "network", "tags": ["dnssec","dns","key-rollover","operational-security","availability","incident-analysis"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-11T00:00:00.000Z", "personas": ["security-engineer","network-engineer","sre"] }, { "title": "Defending Against SMTP Smuggling: Hardening Postfix, Exim, and Gateway MTAs", "url": "/articles/network/smtp-smuggling-defence/", "full_url": "https://www.systemshardening.com/articles/network/smtp-smuggling-defence/", "category": "network", "tags": ["smtp","email-security","postfix","exim","request-smuggling","spf","dmarc","mta"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-11T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","sre"] }, { "title": "Detecting Developer Credential Harvesting: Monitoring .npmrc, .pypirc, and Cloud Config Files", "url": "/articles/observability/developer-credential-file-monitoring/", "full_url": "https://www.systemshardening.com/articles/observability/developer-credential-file-monitoring/", "category": "observability", "tags": ["credential-security","ebpf","falco","tetragon","post-exploitation","developer-security"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-11T00:00:00.000Z", "personas": ["security-engineer","sre","developer"] }, { "title": "Detecting and Containing eBPF-Based Rootkits That Blind Your Observability Stack", "url": "/articles/observability/ebpf-rootkit-detection-hardening/", "full_url": "https://www.systemshardening.com/articles/observability/ebpf-rootkit-detection-hardening/", "category": "observability", "tags": ["ebpf","rootkit","detection","falco","tetragon","kernel","bpf","security-monitoring"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-05-11T00:00:00.000Z", "personas": ["security-engineer","sre","systems-engineer"] }, { "title": "What Browser WASM CVEs Teach Server-Side Runtimes: V8 JIT Miscompilation and Isolation Boundaries", "url": "/articles/wasm/browser-wasm-cve-server-runtime-lessons/", "full_url": "https://www.systemshardening.com/articles/wasm/browser-wasm-cve-server-runtime-lessons/", "category": "wasm", "tags": ["webassembly","jit-security","v8","cve-2026-3910","wasmtime","sandbox-escape"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-11T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","developer"] }, { "title": "Preventing Sensitive Data Exposure via WebAssembly Coredumps in Production", "url": "/articles/wasm/wasm-coredump-data-exposure-hardening/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-coredump-data-exposure-hardening/", "category": "wasm", "tags": ["wasm","coredump","debugging","data-exposure","wasmtime","wasmer","wasi","secrets"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-11T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","systems-engineer"] }, { "title": "AI-Assisted Vulnerability Triage for Container Patching: LLM-Powered Copa Prioritisation", "url": "/articles/ai-landscape/ai-copa-vulnerability-triage/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-copa-vulnerability-triage/", "category": "ai-landscape", "tags": ["copa","ai-security","vulnerability-triage","llm","epss","vex","container-patching"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","ai-security"] }, { "title": "Compromising an AI Inference Cluster: Attack Paths Unique to GPU and LLM Kubernetes Deployments", "url": "/articles/ai-landscape/ai-inference-cluster-attack-paths/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-inference-cluster-attack-paths/", "category": "ai-landscape", "tags": ["kubernetes","gpu","llm","red-team","ai-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI-Powered SSH Session Anomaly Detection: Analysing ContainerSSH Audit Logs with LLMs", "url": "/articles/ai-landscape/containerssh-ai-session-analysis/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/containerssh-ai-session-analysis/", "category": "ai-landscape", "tags": ["containerssh","ai-security","anomaly-detection","ssh","llm","session-analysis"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","ai-security","sre"] }, { "title": "LLM API Security: Parameter Injection, Token Exhaustion DoS, and Model Abuse Detection", "url": "/articles/ai-landscape/llm-api-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-api-security/", "category": "ai-landscape", "tags": ["llm","api-security","prompt-injection","rate-limiting","ai-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "LLM Copy-Paste Vulnerability Propagation: When AI Reproduces Unsafe Memory Copy Patterns", "url": "/articles/ai-landscape/llm-copy-paste-vulnerability-propagation/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-copy-paste-vulnerability-propagation/", "category": "ai-landscape", "tags": ["llm","ai-code-generation","memory-safety","sast","supply-chain","secure-coding"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","developer","ai-security"] }, { "title": "LLM Rate Limiting in Kubernetes: Token-Bucket Control for vLLM and TGI at Scale", "url": "/articles/ai-landscape/llm-kubernetes-rate-limiting/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-kubernetes-rate-limiting/", "category": "ai-landscape", "tags": ["llm","rate-limiting","kubernetes","vllm","inference"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Secrets in AI Pipelines: Training Data Credentials, Model Registry Access, and MLOps Secret Sprawl", "url": "/articles/ai-landscape/mlops-secrets-management/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/mlops-secrets-management/", "category": "ai-landscape", "tags": ["mlops","secrets-management","ai-security","training","model-registry"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "GitHub Actions Runner Controller Security: Ephemeral Runners and Pod Isolation in Kubernetes", "url": "/articles/cicd/actions-runner-controller-security/", "full_url": "https://www.systemshardening.com/articles/cicd/actions-runner-controller-security/", "category": "cicd", "tags": ["github-actions","arc","kubernetes","cicd","runner-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "API Key Lifecycle in CI/CD: Rotation, Scoping, and Detecting Long-Lived Credential Sprawl", "url": "/articles/cicd/api-key-lifecycle-management/", "full_url": "https://www.systemshardening.com/articles/cicd/api-key-lifecycle-management/", "category": "cicd", "tags": ["api-keys","secrets-management","cicd","rotation","supply-chain"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Artifact Copy Integrity: Closing the Substitution Window in Multi-Stage Build Pipelines", "url": "/articles/cicd/artifact-copy-integrity-verification/", "full_url": "https://www.systemshardening.com/articles/cicd/artifact-copy-integrity-verification/", "category": "cicd", "tags": ["supply-chain","artifact-integrity","cosign","slsa","pipeline-security","digest-pinning"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "Artifact Registry Security: Hardening Harbor, ECR, and GCR Against Supply Chain Attacks", "url": "/articles/cicd/artifact-registry-security/", "full_url": "https://www.systemshardening.com/articles/cicd/artifact-registry-security/", "category": "cicd", "tags": ["container-registry","harbor","ecr","supply-chain","artifact-security","image-scanning"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "ContainerSSH for CI/CD Pipeline Debugging: Ephemeral, Audited Shell Access to Build Environments", "url": "/articles/cicd/containerssh-cicd-debug-access/", "full_url": "https://www.systemshardening.com/articles/cicd/containerssh-cicd-debug-access/", "category": "cicd", "tags": ["containerssh","cicd","debugging","ssh","audit-logging","supply-chain"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "Copa in CI/CD: Automated Container Patch Pipelines with Trivy, cosign, and GitHub Actions", "url": "/articles/cicd/copa-cicd-patch-automation/", "full_url": "https://www.systemshardening.com/articles/cicd/copa-cicd-patch-automation/", "category": "cicd", "tags": ["copa","copacetic","cicd","container-patching","github-actions","trivy","cosign"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "GitHub Actions Supply Chain Hardening: Pinning, Permissions, and OIDC Token Security", "url": "/articles/cicd/github-actions-supply-chain-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/github-actions-supply-chain-hardening/", "category": "cicd", "tags": ["github-actions","supply-chain","cicd-security","oidc","pinning","stepsecurity"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer"] }, { "title": "Golden Path Security: Building Security In from Day Zero with Paved Road Templates", "url": "/articles/cicd/golden-path-security/", "full_url": "https://www.systemshardening.com/articles/cicd/golden-path-security/", "category": "cicd", "tags": ["platform-engineering","golden-path","paved-road","security-by-default","shift-left","kubernetes"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","devops-engineer"] }, { "title": "From Leaked kubeconfig to Full Cluster Takeover: The CI/CD Attack Chain", "url": "/articles/cicd/kubeconfig-leak-cluster-compromise/", "full_url": "https://www.systemshardening.com/articles/cicd/kubeconfig-leak-cluster-compromise/", "category": "cicd", "tags": ["kubernetes","cicd","kubeconfig","red-team","supply-chain"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "OSS-Fuzz and ClusterFuzzLite: Continuous Fuzzing as a Supply Chain Security Control", "url": "/articles/cicd/oss-fuzz-clusterfuzzlite-integration/", "full_url": "https://www.systemshardening.com/articles/cicd/oss-fuzz-clusterfuzzlite-integration/", "category": "cicd", "tags": ["fuzzing","supply-chain","oss-fuzz","clusterfuzzlite","libfuzzer","security-testing"], "difficulty": "advanced", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer"] }, { "title": "SBOM Generation and Consumption: CycloneDX, SPDX, and Vulnerability Correlation", "url": "/articles/cicd/sbom-generation-consumption/", "full_url": "https://www.systemshardening.com/articles/cicd/sbom-generation-consumption/", "category": "cicd", "tags": ["sbom","cyclonedx","spdx","supply-chain","vulnerability-management","syft","grype"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "Shift-Left Security Tooling: IDE Plugins, Pre-Commit Hooks, and PR Security Gates", "url": "/articles/cicd/shift-left-developer-security-tooling/", "full_url": "https://www.systemshardening.com/articles/cicd/shift-left-developer-security-tooling/", "category": "cicd", "tags": ["shift-left","developer-security","sast","pre-commit","ide-security","github-actions"], "difficulty": "beginner", "reading_time_minutes": 10, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","developer"] }, { "title": "SLSA Attestation Verification at Admission: Enforcing Build Provenance in Kubernetes", "url": "/articles/cicd/slsa-attestation-admission-verification/", "full_url": "https://www.systemshardening.com/articles/cicd/slsa-attestation-admission-verification/", "category": "cicd", "tags": ["slsa","attestation","admission-control","kyverno","provenance","supply-chain"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "SLSA Build Provenance: Verifying Supply Chain Integrity from Source to Deployment", "url": "/articles/cicd/slsa-build-provenance/", "full_url": "https://www.systemshardening.com/articles/cicd/slsa-build-provenance/", "category": "cicd", "tags": ["slsa","supply-chain","provenance","in-toto","build-security","github-actions"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "SOPS and Age: Encrypting Secrets in Git Without a Secrets Server", "url": "/articles/cicd/sops-age-gitops-secrets/", "full_url": "https://www.systemshardening.com/articles/cicd/sops-age-gitops-secrets/", "category": "cicd", "tags": ["sops","gitops","secrets-management","age","flux"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Terraform Security Guardrails: Preventing Cloud Misconfigurations at the Infrastructure Layer", "url": "/articles/cicd/terraform-security-guardrails/", "full_url": "https://www.systemshardening.com/articles/cicd/terraform-security-guardrails/", "category": "cicd", "tags": ["terraform","infrastructure-as-code","security-guardrails","checkov","conftest","cloud-security"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "API Schema Validation as a Security Control: OpenAPI Enforcement and the Mass Assignment Problem", "url": "/articles/cross-cutting/api-schema-validation-security/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/api-schema-validation-security/", "category": "cross-cutting", "tags": ["api-security","schema-validation","openapi","mass-assignment","input-validation"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AWS IRSA: IAM Roles for Service Accounts and OIDC Workload Identity", "url": "/articles/cross-cutting/aws-irsa-workload-identity/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/aws-irsa-workload-identity/", "category": "cross-cutting", "tags": ["aws","irsa","workload-identity","iam","eks","oidc"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "Backstage Security Hardening: Locking Down the Developer Portal", "url": "/articles/cross-cutting/backstage-security-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/backstage-security-hardening/", "category": "cross-cutting", "tags": ["backstage","platform-engineering","security-hardening","developer-portal","secrets-management"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Container Patch SLA Policy Enforcement: From Severity Tiers to Admission Control", "url": "/articles/cross-cutting/container-patch-sla-policy-enforcement/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/container-patch-sla-policy-enforcement/", "category": "cross-cutting", "tags": ["copa","container-patching","sla","policy-enforcement","kyverno","vulnerability-management"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","security-architect"] }, { "title": "Hardening the ContainerSSH Config and Auth Webhook: Identity Integration and Request Security", "url": "/articles/cross-cutting/containerssh-webhook-auth-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/containerssh-webhook-auth-hardening/", "category": "cross-cutting", "tags": ["containerssh","webhook","authentication","oidc","ldap","mtls","zero-trust"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","identity-engineer"] }, { "title": "Continuous Authorization: CAEP, RISC, and Real-Time Session Revocation", "url": "/articles/cross-cutting/continuous-authorization-caep/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/continuous-authorization-caep/", "category": "cross-cutting", "tags": ["caep","zero-trust","session-management","oauth2","continuous-authorization","identity"], "difficulty": "advanced", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","identity-engineer"] }, { "title": "Cross-Cloud OIDC Federation: Portable Workload Identity Across AWS, GCP, and Azure", "url": "/articles/cross-cutting/cross-cloud-oidc-federation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/cross-cloud-oidc-federation/", "category": "cross-cutting", "tags": ["oidc","federation","multi-cloud","workload-identity","aws","gcp","azure"], "difficulty": "advanced", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","cloud-architect"] }, { "title": "Dependency Confusion Attacks: How Private Package Shadowing Works and How to Stop It", "url": "/articles/cross-cutting/dependency-confusion-defence/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/dependency-confusion-defence/", "category": "cross-cutting", "tags": ["supply-chain","dependency-confusion","package-security","npm","pip","maven","registry-security"], "difficulty": "intermediate", "reading_time_minutes": 10, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "Device Posture in Zero Trust: Continuous Verification Beyond Username and Password", "url": "/articles/cross-cutting/device-posture-continuous-verification/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/device-posture-continuous-verification/", "category": "cross-cutting", "tags": ["device-posture","zero-trust","tpm","mdm","endpoint-security","continuous-verification"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","security-architect","it-operations"] }, { "title": "GCP Workload Identity Federation: Credential-Free Access from Any Identity Provider", "url": "/articles/cross-cutting/gcp-workload-identity-federation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/gcp-workload-identity-federation/", "category": "cross-cutting", "tags": ["gcp","workload-identity-federation","oidc","github-actions","gke","credential-free"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "IAM Least Privilege Automation: Right-Sizing Permissions with Access Analysis", "url": "/articles/cross-cutting/iam-least-privilege-automation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/iam-least-privilege-automation/", "category": "cross-cutting", "tags": ["iam","least-privilege","aws","gcp","azure","cloud-security","automation"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","cloud-architect","platform-engineer"] }, { "title": "Internal Developer Platform Security: Securing the Self-Service Infrastructure Layer", "url": "/articles/cross-cutting/internal-developer-platform-security/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/internal-developer-platform-security/", "category": "cross-cutting", "tags": ["platform-engineering","internal-developer-platform","backstage","security","self-service-infrastructure"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","devops-engineer"] }, { "title": "Service Account Token Privilege Escalation: How Limited RBAC Becomes Cluster-Admin Without CVEs", "url": "/articles/cross-cutting/kubernetes-rbac-privilege-escalation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/kubernetes-rbac-privilege-escalation/", "category": "cross-cutting", "tags": ["kubernetes","rbac","privilege-escalation","red-team","security-governance"], "difficulty": "Advanced", "reading_time_minutes": 15, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "OpenSSF Scorecard: Automated Open Source Dependency Risk Scoring", "url": "/articles/cross-cutting/openssf-scorecard-risk-scoring/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/openssf-scorecard-risk-scoring/", "category": "cross-cutting", "tags": ["openssf","scorecard","supply-chain","dependency-risk","open-source-security","ossf"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "Platform Team Secrets Injection: Centralized Patterns for Developer Self-Service", "url": "/articles/cross-cutting/platform-team-secrets-injection/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/platform-team-secrets-injection/", "category": "cross-cutting", "tags": ["secrets-management","platform-engineering","external-secrets-operator","vault","kubernetes","cicd"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","devops-engineer"] }, { "title": "Policy as Code at Scale: OPA, Rego Testing, and Enterprise Policy Libraries", "url": "/articles/cross-cutting/policy-as-code-at-scale/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/policy-as-code-at-scale/", "category": "cross-cutting", "tags": ["opa","rego","policy-as-code","platform-engineering","governance","kubernetes"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","security-architect"] }, { "title": "VEX: Vulnerability Exploitability eXchange for SBOM-Driven Triage", "url": "/articles/cross-cutting/sbom-vex-exploitability/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/sbom-vex-exploitability/", "category": "cross-cutting", "tags": ["sbom","vex","vulnerability-management","supply-chain","cyclonedx","false-positives"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer"] }, { "title": "Secret Rotation Automation: Zero-Downtime Database Password Rotation at Scale", "url": "/articles/cross-cutting/secret-rotation-automation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/secret-rotation-automation/", "category": "cross-cutting", "tags": ["secrets-management","rotation","vault","aws-secrets-manager","database"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "SOCKS Proxy Tunnelling and Covert Channel Detection: When Legitimate Protocols Carry C2 Traffic", "url": "/articles/cross-cutting/socks-proxy-covert-channel-detection/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/socks-proxy-covert-channel-detection/", "category": "cross-cutting", "tags": ["covert-channels","socks-proxy","c2-detection","network-security","threat-hunting"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "TOCTOU Vulnerability Defences: Eliminating Time-of-Check to Time-of-Use Races Across the Stack", "url": "/articles/cross-cutting/toctou-vulnerability-defences/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/toctou-vulnerability-defences/", "category": "cross-cutting", "tags": ["toctou","race-conditions","filesystem-security","kernel-security","secure-coding","admission-control"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","kernel-developer","platform-engineer","developer"] }, { "title": "Typosquatting in Package Registries: Detection, Prevention, and Runtime Defence", "url": "/articles/cross-cutting/typosquatting-package-registry-defence/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/typosquatting-package-registry-defence/", "category": "cross-cutting", "tags": ["supply-chain","typosquatting","package-security","npm","pypi","malware-detection"], "difficulty": "intermediate", "reading_time_minutes": 10, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer"] }, { "title": "Zero Trust Architecture: From BeyondCorp Principles to Production Implementation", "url": "/articles/cross-cutting/zero-trust-architecture-principles/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/zero-trust-architecture-principles/", "category": "cross-cutting", "tags": ["zero-trust","beyondcorp","identity","access-control","nist","architecture"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","security-architect","platform-engineer"] }, { "title": "Azure Workload Identity for AKS: Federated Credential Access to Azure Resources", "url": "/articles/kubernetes/azure-workload-identity-aks/", "full_url": "https://www.systemshardening.com/articles/kubernetes/azure-workload-identity-aks/", "category": "kubernetes", "tags": ["azure","workload-identity","aks","oidc","microsoft-entra","credential-free"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "Container Image Signing Policy Enforcement: From cosign to Admission Control", "url": "/articles/kubernetes/container-image-signing-policy/", "full_url": "https://www.systemshardening.com/articles/kubernetes/container-image-signing-policy/", "category": "kubernetes", "tags": ["container-signing","cosign","kyverno","supply-chain","admission-control","sigstore"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","devops-engineer"] }, { "title": "ContainerSSH Kubernetes Backend: Hardened Pod-per-Session SSH Access", "url": "/articles/kubernetes/containerssh-kubernetes-backend/", "full_url": "https://www.systemshardening.com/articles/kubernetes/containerssh-kubernetes-backend/", "category": "kubernetes", "tags": ["containerssh","kubernetes","ssh","pod-security","rbac","network-policy"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Automating Container Image Patching in Kubernetes with Copa and Kyverno", "url": "/articles/kubernetes/copa-kubernetes-automated-patching/", "full_url": "https://www.systemshardening.com/articles/kubernetes/copa-kubernetes-automated-patching/", "category": "kubernetes", "tags": ["copa","copacetic","kubernetes","kyverno","container-patching","vulnerability-management"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","devops-engineer"] }, { "title": "ETCd Compromise: The Blast Radius of Your Kubernetes Backing Store", "url": "/articles/kubernetes/etcd-compromise-and-recovery/", "full_url": "https://www.systemshardening.com/articles/kubernetes/etcd-compromise-and-recovery/", "category": "kubernetes", "tags": ["etcd","kubernetes","secrets","red-team","incident-response"], "difficulty": "Advanced", "reading_time_minutes": 15, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "External Secrets Operator: Syncing Cloud Secrets Without Storing Them in Kubernetes", "url": "/articles/kubernetes/external-secrets-operator-hardening/", "full_url": "https://www.systemshardening.com/articles/kubernetes/external-secrets-operator-hardening/", "category": "kubernetes", "tags": ["external-secrets","kubernetes","secrets-management","aws-secrets-manager","vault"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "BOLA and BFLA in Kubernetes-Hosted APIs: Object-Level Authorisation Gaps in Multi-Tenant Deployments", "url": "/articles/kubernetes/kubernetes-api-bola-bfla/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-api-bola-bfla/", "category": "kubernetes", "tags": ["api-security","bola","authorisation","opa","kubernetes"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Kubernetes Service Account Token Security: Projection, Audience Binding, and Theft Prevention", "url": "/articles/kubernetes/kubernetes-service-account-token-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-service-account-token-security/", "category": "kubernetes", "tags": ["kubernetes","service-accounts","tokens","oidc","credential-security","rbac"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Kyverno Controller Security: Hardening the Policy Engine That Enforces Your Security Policies", "url": "/articles/kubernetes/kyverno-controller-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kyverno-controller-security/", "category": "kubernetes", "tags": ["kyverno","admission-webhook","policy-enforcement","kubernetes","supply-chain"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Overlayfs Copy-on-Write Container Escape: CVE-2023-0386 and Writeback Race Mitigations", "url": "/articles/kubernetes/overlayfs-cow-container-escape/", "full_url": "https://www.systemshardening.com/articles/kubernetes/overlayfs-cow-container-escape/", "category": "kubernetes", "tags": ["container-escape","overlayfs","copy-on-write","kernel-security","cve-2023-0386","kubernetes-security"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Sigstore and Cosign: Keyless Container Image Signing and Verification", "url": "/articles/kubernetes/sigstore-cosign-container-signing/", "full_url": "https://www.systemshardening.com/articles/kubernetes/sigstore-cosign-container-signing/", "category": "kubernetes", "tags": ["sigstore","cosign","container-signing","supply-chain","rekor","keyless-signing"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "SPIFFE and SPIRE: Cryptographic Workload Identity for Zero Trust Kubernetes", "url": "/articles/kubernetes/spiffe-spire-workload-identity/", "full_url": "https://www.systemshardening.com/articles/kubernetes/spiffe-spire-workload-identity/", "category": "kubernetes", "tags": ["spiffe","spire","workload-identity","zero-trust","mtls","kubernetes"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "API Gateway Hardening at the OS Layer: Rate Limiting with nftables and eBPF", "url": "/articles/linux/api-gateway-nftables-ebpf-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/api-gateway-nftables-ebpf-hardening/", "category": "linux", "tags": ["nftables","ebpf","api-security","rate-limiting","kernel"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "ContainerSSH as a Bastion Host Replacement: Ephemeral Containers per SSH Session", "url": "/articles/linux/containerssh-bastion-replacement/", "full_url": "https://www.systemshardening.com/articles/linux/containerssh-bastion-replacement/", "category": "linux", "tags": ["containerssh","bastion-host","ssh","ephemeral-containers","access-control","zero-trust"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","it-operations"] }, { "title": "Patching Distroless and Minimal Container Images with Copa", "url": "/articles/linux/copa-distroless-image-patching/", "full_url": "https://www.systemshardening.com/articles/linux/copa-distroless-image-patching/", "category": "linux", "tags": ["copa","copacetic","distroless","container-security","vulnerability-patching","buildkit"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "copy_from_user Failure Exploitation: Kernel Copy Fault Handling Vulnerabilities", "url": "/articles/linux/copy-from-user-failure-exploitation/", "full_url": "https://www.systemshardening.com/articles/linux/copy-from-user-failure-exploitation/", "category": "linux", "tags": ["kernel-security","copy-from-user","privilege-escalation","smap","kernel-hardening","exploit-mitigations"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","kernel-developer"] }, { "title": "Linux Kernel Crypto API Security: algif_aead Attack Surface and Safe Primitive Selection", "url": "/articles/linux/linux-kernel-crypto-api-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-kernel-crypto-api-security/", "category": "linux", "tags": ["kernel","crypto","af-alg","aead","privilege-escalation"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Malicious Dependency Runtime Detection: Using eBPF to Catch Compromised Libraries", "url": "/articles/linux/malicious-dependency-runtime-detection/", "full_url": "https://www.systemshardening.com/articles/linux/malicious-dependency-runtime-detection/", "category": "linux", "tags": ["supply-chain","ebpf","falco","tetragon","runtime-security","dependency-security"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","devops-engineer"] }, { "title": "From Pod Breakout to Kubelet Credential Theft: The Node Compromise Attack Chain", "url": "/articles/linux/pod-breakout-to-kubelet-credential-theft/", "full_url": "https://www.systemshardening.com/articles/linux/pod-breakout-to-kubelet-credential-theft/", "category": "linux", "tags": ["kubernetes","privilege-escalation","container-escape","kubelet","red-team"], "difficulty": "Advanced", "reading_time_minutes": 15, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Reproducible Builds: Eliminating Build Environment as a Supply Chain Attack Surface", "url": "/articles/linux/reproducible-builds-security/", "full_url": "https://www.systemshardening.com/articles/linux/reproducible-builds-security/", "category": "linux", "tags": ["supply-chain","reproducible-builds","nix","build-security","debian"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "HashiCorp Vault Architecture and Hardening: Seal Configuration, Audit Logging, and Root Token Elimination", "url": "/articles/linux/vault-architecture-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/vault-architecture-hardening/", "category": "linux", "tags": ["vault","secrets-management","hardening","audit-logging","linux"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "ContainerSSH Network Isolation: Per-Session NetworkPolicy and Egress Control", "url": "/articles/network/containerssh-network-isolation/", "full_url": "https://www.systemshardening.com/articles/network/containerssh-network-isolation/", "category": "network", "tags": ["containerssh","network-policy","kubernetes","ssh","lateral-movement","cilium"], "difficulty": "advanced", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","network-engineer","platform-engineer"] }, { "title": "Copa in Air-Gapped Environments: Container Patching Without Internet Access", "url": "/articles/network/copa-air-gapped-registry-patching/", "full_url": "https://www.systemshardening.com/articles/network/copa-air-gapped-registry-patching/", "category": "network", "tags": ["copa","copacetic","air-gapped","network-isolation","container-patching","registry-security"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","network-engineer"] }, { "title": "Encrypted Client Hello: Privacy vs. Enterprise Security Inspection", "url": "/articles/network/encrypted-client-hello-security/", "full_url": "https://www.systemshardening.com/articles/network/encrypted-client-hello-security/", "category": "network", "tags": ["tls","ech","privacy","network-monitoring","enterprise-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "GraphQL Attack Surface: Introspection Enumeration, Batch Query Abuse, and Depth Limiting", "url": "/articles/network/graphql-attack-surface/", "full_url": "https://www.systemshardening.com/articles/network/graphql-attack-surface/", "category": "network", "tags": ["graphql","api-security","introspection","rate-limiting","network-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Identity-Aware Proxy: Replacing VPN with Continuous Identity Verification", "url": "/articles/network/identity-aware-proxy-security/", "full_url": "https://www.systemshardening.com/articles/network/identity-aware-proxy-security/", "category": "network", "tags": ["identity-aware-proxy","zero-trust","oauth2","envoy","access-control","beyondcorp"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","network-engineer"] }, { "title": "Kubernetes Network Lateral Movement: From Compromised Pod to Internal Service Exfiltration", "url": "/articles/network/kubernetes-network-lateral-movement/", "full_url": "https://www.systemshardening.com/articles/network/kubernetes-network-lateral-movement/", "category": "network", "tags": ["kubernetes","network-policy","lateral-movement","red-team","network-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Microsegmentation with Cilium: L7-Aware Network Policy for Zero Trust Kubernetes", "url": "/articles/network/microsegmentation-cilium-zero-trust/", "full_url": "https://www.systemshardening.com/articles/network/microsegmentation-cilium-zero-trust/", "category": "network", "tags": ["cilium","microsegmentation","zero-trust","ebpf","network-policy","kubernetes"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","network-engineer"] }, { "title": "Double-Fetch Vulnerabilities in the Linux Network Stack: skb Races and TOCTOU in Packet Handling", "url": "/articles/network/packet-buffer-double-fetch-exploits/", "full_url": "https://www.systemshardening.com/articles/network/packet-buffer-double-fetch-exploits/", "category": "network", "tags": ["kernel-security","double-fetch","network-stack","toctou","skb","exploit-mitigations"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","kernel-developer","network-engineer"] }, { "title": "Secrets in Transit: mTLS and Certificate Pinning for Secret Store Communication", "url": "/articles/network/secrets-in-transit-security/", "full_url": "https://www.systemshardening.com/articles/network/secrets-in-transit-security/", "category": "network", "tags": ["secrets-management","mtls","certificate-pinning","network-security","vault"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Service Mesh mTLS Identity: Istio and Linkerd Certificate Security Deep Dive", "url": "/articles/network/service-mesh-mtls-identity/", "full_url": "https://www.systemshardening.com/articles/network/service-mesh-mtls-identity/", "category": "network", "tags": ["service-mesh","mtls","istio","linkerd","certificate-management","zero-trust"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","network-engineer"] }, { "title": "Zero Trust Network Access with WireGuard: Replacing VPN with Per-Resource Tunnels", "url": "/articles/network/ztna-wireguard-deployment/", "full_url": "https://www.systemshardening.com/articles/network/ztna-wireguard-deployment/", "category": "network", "tags": ["ztna","wireguard","vpn-replacement","zero-trust","tailscale","network-access"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","network-engineer","it-operations"] }, { "title": "API Threat Detection via Traffic Analysis: Detecting BOLA, Enumeration, and Mass Assignment in Access Logs", "url": "/articles/observability/api-threat-detection-traffic-analysis/", "full_url": "https://www.systemshardening.com/articles/observability/api-threat-detection-traffic-analysis/", "category": "observability", "tags": ["api-security","bola","observability","threat-detection","loki"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Container Patch Compliance Observability: Tracking CVE-to-Patch SLAs Across a Fleet", "url": "/articles/observability/container-patch-compliance-observability/", "full_url": "https://www.systemshardening.com/articles/observability/container-patch-compliance-observability/", "category": "observability", "tags": ["copa","container-patching","observability","prometheus","grafana","vulnerability-management","compliance"], "difficulty": "intermediate", "reading_time_minutes": 11, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "ContainerSSH Audit Logging: Session Recording, S3 Export, and SIEM Integration", "url": "/articles/observability/containerssh-audit-logging/", "full_url": "https://www.systemshardening.com/articles/observability/containerssh-audit-logging/", "category": "observability", "tags": ["containerssh","audit-logging","session-recording","siem","ssh","forensics"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","sre","compliance-engineer"] }, { "title": "Detecting Copy-on-Write Exploitation with eBPF: Tracing Dirty Pipe and Overlayfs Attack Patterns", "url": "/articles/observability/cow-exploit-detection-ebpf/", "full_url": "https://www.systemshardening.com/articles/observability/cow-exploit-detection-ebpf/", "category": "observability", "tags": ["ebpf","falco","tetragon","kernel-security","copy-on-write","exploit-detection"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","sre"] }, { "title": "Kubernetes Forensics After Compromise: Reconstructing the Attack Timeline", "url": "/articles/observability/kubernetes-forensics-post-compromise/", "full_url": "https://www.systemshardening.com/articles/observability/kubernetes-forensics-post-compromise/", "category": "observability", "tags": ["forensics","incident-response","kubernetes","audit-logs","red-team"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "OpenTelemetry Collector Hardening: Pipeline Injection, RBAC, and Securing the Observability Data Path", "url": "/articles/observability/otel-collector-hardening/", "full_url": "https://www.systemshardening.com/articles/observability/otel-collector-hardening/", "category": "observability", "tags": ["opentelemetry","observability","security-hardening","telemetry","kubernetes"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Detecting Secret Access Anomalies: Vault and AWS Secrets Manager Audit Log Analysis", "url": "/articles/observability/secret-access-anomaly-detection/", "full_url": "https://www.systemshardening.com/articles/observability/secret-access-anomaly-detection/", "category": "observability", "tags": ["vault","secrets-management","audit-logging","anomaly-detection","observability"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "ContainerSSH Auth Webhook as a WebAssembly Edge Function: Low-Latency Sandboxed Authentication", "url": "/articles/wasm/containerssh-wasm-auth-backend/", "full_url": "https://www.systemshardening.com/articles/wasm/containerssh-wasm-auth-backend/", "category": "wasm", "tags": ["containerssh","webassembly","edge-computing","authentication","cloudflare-workers","oidc"], "difficulty": "advanced", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","developer"] }, { "title": "Extending Copa with WebAssembly: Building Sandboxed Scanner Plugins", "url": "/articles/wasm/copa-wasm-scanner-plugin/", "full_url": "https://www.systemshardening.com/articles/wasm/copa-wasm-scanner-plugin/", "category": "wasm", "tags": ["copa","copacetic","webassembly","plugin-security","scanner-plugin","sandboxing"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","developer"] }, { "title": "Envoy WASM Filters for API Security: Injection-Safe Middleware in the Data Plane", "url": "/articles/wasm/envoy-wasm-api-security-filters/", "full_url": "https://www.systemshardening.com/articles/wasm/envoy-wasm-api-security-filters/", "category": "wasm", "tags": ["webassembly","envoy","api-security","wasm-filters","service-mesh"], "difficulty": "Advanced", "reading_time_minutes": 15, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "WebAssembly Component Supply Chain: Signing, Attestation, and Registry Security", "url": "/articles/wasm/wasm-component-supply-chain/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-component-supply-chain/", "category": "wasm", "tags": ["webassembly","supply-chain","wasm-component-model","cosign","warg","signing"], "difficulty": "advanced", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Secrets in WASM Edge Functions: WASI Keyvalue, Vault Agent, and Capability-Based Secret Access", "url": "/articles/wasm/wasm-edge-secrets-management/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-edge-secrets-management/", "category": "wasm", "tags": ["webassembly","secrets-management","edge-computing","wasi","spin"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "WebAssembly at the Edge: Implementing Zero Trust Authorization in WASM Filters", "url": "/articles/wasm/wasm-edge-zero-trust-auth/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-edge-zero-trust-auth/", "category": "wasm", "tags": ["webassembly","zero-trust","envoy","edge-security","jwt","authorization"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Sandbox Escape in Kubernetes: Post-Escape Environment and Pivot Paths", "url": "/articles/wasm/wasm-kubernetes-pod-escape/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-kubernetes-pod-escape/", "category": "wasm", "tags": ["webassembly","kubernetes","wasmtime","container-escape","red-team"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WebAssembly Memory Copy Safety: Bounds Checking, OOB Patterns, and Host Buffer Exchange", "url": "/articles/wasm/wasm-memory-copy-safety/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-memory-copy-safety/", "category": "wasm", "tags": ["webassembly","memory-safety","bounds-checking","wasm-threads","spectre","host-api"], "difficulty": "advanced", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","developer"] }, { "title": "WebAssembly Module Registry Security: warg, OCI, and Supply Chain Controls for WASM", "url": "/articles/wasm/wasm-module-registry-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-module-registry-security/", "category": "wasm", "tags": ["webassembly","registry","supply-chain","warg","oci","module-security"], "difficulty": "advanced", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WebAssembly Platform Extensions: Security Model for WASM Plugin Systems", "url": "/articles/wasm/wasm-platform-extension-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-platform-extension-security/", "category": "wasm", "tags": ["webassembly","platform-engineering","plugin-security","wasi","sandboxing","extension-security"], "difficulty": "advanced", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WebAssembly and Post-Quantum TLS: ML-KEM Hybrid Key Exchange in WASM Network Clients", "url": "/articles/wasm/wasm-post-quantum-tls/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-post-quantum-tls/", "category": "wasm", "tags": ["webassembly","post-quantum","ml-kem","tls","cryptography"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WebAssembly Serverless IAM: Credential-Free Cloud Access from WASM Functions", "url": "/articles/wasm/wasm-serverless-iam-integration/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-serverless-iam-integration/", "category": "wasm", "tags": ["webassembly","serverless","iam","cloudflare-workers","credential-security","cloud-security"], "difficulty": "advanced", "reading_time_minutes": 12, "date": "2026-05-09T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Agentic Browser Prompt Injection: Web Content as an Attack Surface for Computer Use Agents", "url": "/articles/ai-landscape/agentic-browser-prompt-injection-defence/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/agentic-browser-prompt-injection-defence/", "category": "ai-landscape", "tags": ["prompt-injection","browser-agents","computer-use","ai-security","agentic-ai"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI-Assisted Code Scanning: Copilot Autofix, DeepCode AI, and Evaluating Fix Quality", "url": "/articles/ai-landscape/ai-code-scanning-autofix/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-code-scanning-autofix/", "category": "ai-landscape", "tags": ["ai-code-scanning","copilot-autofix","sast","ai-security","secure-coding"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI Model Evaluation Pipeline Security", "url": "/articles/ai-landscape/ai-evaluation-pipeline-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-evaluation-pipeline-security/", "category": "ai-landscape", "tags": ["ai-eval","inspect","lm-eval-harness","model-evaluation","sandbox","attestation"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "AI Framework Security Disclosure: Reporting Vulnerabilities in LLM Servers, ML Frameworks, and Model Weights", "url": "/articles/ai-landscape/ai-framework-security-disclosure/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-framework-security-disclosure/", "category": "ai-landscape", "tags": ["ai-security","responsible-disclosure","vllm","langchain","open-source-security"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","ml-engineer"] }, { "title": "Post-Quantum Protection for AI Systems: Model Weights, Inference Encryption, and Training Data", "url": "/articles/ai-landscape/ai-post-quantum-protection/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-post-quantum-protection/", "category": "ai-landscape", "tags": ["post-quantum","ai-security","model-protection","ml-kem","inference-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","ml-engineer"] }, { "title": "Claude Computer Use Sandboxing: Production Patterns for Screen-Control Agent APIs", "url": "/articles/ai-landscape/claude-computer-use-sandboxing/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/claude-computer-use-sandboxing/", "category": "ai-landscape", "tags": ["claude","computer-use","agent-sandboxing","virtualisation","ai-security"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "GPU Shared-Kernel Attacks: Isolation Failures in Multi-Tenant AI Inference Clusters", "url": "/articles/ai-landscape/gpu-shared-kernel-ai-isolation/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/gpu-shared-kernel-ai-isolation/", "category": "ai-landscape", "tags": ["gpu","cve","kernel","multi-tenant","ai-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "LLM-Powered Credential Stuffing and Synthetic Identity Bots: Defence Beyond Rate Limiting", "url": "/articles/ai-landscape/llm-powered-credential-stuffing-defence/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-powered-credential-stuffing-defence/", "category": "ai-landscape", "tags": ["credential-stuffing","synthetic-identity","ai-attacks","authentication","fraud"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "MCP Tool Call Injection: Hijacking Tool Results to Redirect Agent Behaviour", "url": "/articles/ai-landscape/mcp-tool-call-injection/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/mcp-tool-call-injection/", "category": "ai-landscape", "tags": ["mcp","prompt-injection","tool-use","ai-security","agentic-ai"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Open Source AI Models and the Security Audit Gap: What Openness Actually Means for Llama and Mistral", "url": "/articles/ai-landscape/open-source-ai-models-security-audit/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/open-source-ai-models-security-audit/", "category": "ai-landscape", "tags": ["open-source","llm-security","model-security","supply-chain","ai-transparency"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "vLLM and the KV-Cache Isolation Problem: How Shared Memory Leaks Between Inference Requests", "url": "/articles/ai-landscape/vllm-shared-memory-inference-isolation/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/vllm-shared-memory-inference-isolation/", "category": "ai-landscape", "tags": ["vllm","inference","shared-memory","kernel","multi-tenant"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI-Authored Malicious PRs: How LLMs Write Backdoors That Pass Code Review", "url": "/articles/cicd/ai-authored-malicious-pr-defence/", "full_url": "https://www.systemshardening.com/articles/cicd/ai-authored-malicious-pr-defence/", "category": "cicd", "tags": ["pull-requests","ai-attacks","supply-chain","code-review","cicd"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "AI-Generated Code and Open Source License Compliance: The Copilot Copyright Problem", "url": "/articles/cicd/ai-code-license-compliance/", "full_url": "https://www.systemshardening.com/articles/cicd/ai-code-license-compliance/", "category": "cicd", "tags": ["license-compliance","ai-code-generation","sbom","supply-chain","open-source"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "CI/CD Cache Poisoning Defence Across Actions, Bazel, Nx, and Turbo", "url": "/articles/cicd/cicd-cache-poisoning-defence/", "full_url": "https://www.systemshardening.com/articles/cicd/cicd-cache-poisoning-defence/", "category": "cicd", "tags": ["cache-poisoning","github-actions","bazel","nx","turbo","ci"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","devops-engineer"] }, { "title": "Docker-in-Docker and the Shared Kernel Double Bind: Why --privileged in CI Is Host Root", "url": "/articles/cicd/docker-in-docker-shared-kernel-risk/", "full_url": "https://www.systemshardening.com/articles/cicd/docker-in-docker-shared-kernel-risk/", "category": "cicd", "tags": ["docker-in-docker","cicd","privileged-containers","image-building","kernel"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "GitHub Actions Reusable Workflow Pinning and Drift Audit: Closing the Post-tj-actions Gap", "url": "/articles/cicd/github-actions-reusable-workflow-pinning-audit/", "full_url": "https://www.systemshardening.com/articles/cicd/github-actions-reusable-workflow-pinning-audit/", "category": "cicd", "tags": ["github-actions","supply-chain","reusable-workflows","sha-pinning","ci-security"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "GitHub Advanced Security at Enterprise Scale: Push Protection, Code Scanning Policies, and Autofix", "url": "/articles/cicd/github-advanced-security-enterprise/", "full_url": "https://www.systemshardening.com/articles/cicd/github-advanced-security-enterprise/", "category": "cicd", "tags": ["github-advanced-security","ghas","secret-scanning","code-scanning","push-protection"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "MCP Servers as a Supply Chain Attack Surface: Malicious Tool Registrations and Integrity Verification", "url": "/articles/cicd/mcp-server-supply-chain/", "full_url": "https://www.systemshardening.com/articles/cicd/mcp-server-supply-chain/", "category": "cicd", "tags": ["mcp","supply-chain","package-security","ai-security","cicd"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Open Source CI/CD Security Disclosure: Reporting Vulnerabilities in Actions, Jenkins Plugins, and ArgoCD", "url": "/articles/cicd/oss-cicd-security-disclosure/", "full_url": "https://www.systemshardening.com/articles/cicd/oss-cicd-security-disclosure/", "category": "cicd", "tags": ["open-source-security","github-actions","jenkins","argocd","responsible-disclosure"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Post-Quantum Artifact Signing in CI/CD: Migrating cosign and Sigstore to ML-DSA", "url": "/articles/cicd/post-quantum-artifact-signing/", "full_url": "https://www.systemshardening.com/articles/cicd/post-quantum-artifact-signing/", "category": "cicd", "tags": ["post-quantum","artifact-signing","cosign","sigstore","ml-dsa"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Bot PRs Against Public Repos: pull_request_target Exploitation and Forked-PR Secret Exfiltration", "url": "/articles/cicd/public-repo-bot-pr-attack-defence/", "full_url": "https://www.systemshardening.com/articles/cicd/public-repo-bot-pr-attack-defence/", "category": "cicd", "tags": ["github-actions","pull-request-target","supply-chain","public-repositories","cicd"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Shared-Kernel CI Runners: How Jobs Leak Secrets Across the Isolation Boundary", "url": "/articles/cicd/shared-kernel-ci-runner-escape/", "full_url": "https://www.systemshardening.com/articles/cicd/shared-kernel-ci-runner-escape/", "category": "cicd", "tags": ["github-actions","runner","kernel","secrets","container-escape"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Software Supply Chain in the AI Coding Era: When Your Dependency Is a Prompt", "url": "/articles/cross-cutting/ai-coding-supply-chain-risk/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/ai-coding-supply-chain-risk/", "category": "cross-cutting", "tags": ["supply-chain","sbom","ai-code-generation","open-source","security-governance"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Bot Management in the AI Era: Scoring Tiers, WebAuthn Step-Up, and Vendor Selection", "url": "/articles/cross-cutting/ai-era-bot-management-programme/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/ai-era-bot-management-programme/", "category": "cross-cutting", "tags": ["bot-management","webauthn","programme-management","captcha","ai-security"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Real-Time Voice Clones Defeating Helpdesk and Voice MFA: A 2026 Defence Guide", "url": "/articles/cross-cutting/deepfake-voice-mfa-defence/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/deepfake-voice-mfa-defence/", "category": "cross-cutting", "tags": ["deepfake","voice-authentication","mfa","identity","social-engineering"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "EU Cyber Resilience Act: Technical Implementation Guide", "url": "/articles/cross-cutting/eu-cyber-resilience-act-implementation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/eu-cyber-resilience-act-implementation/", "category": "cross-cutting", "tags": ["cra","compliance","eu","sbom","vulnerability-handling","conformity"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","compliance"] }, { "title": "gVisor and Kata Containers: What the Shared Kernel Problem Forced the Industry to Build", "url": "/articles/cross-cutting/gvisor-kata-shared-kernel-defense/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/gvisor-kata-shared-kernel-defense/", "category": "cross-cutting", "tags": ["gvisor","kata-containers","kernel","container-escape","runtime-security"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "MCP OAuth 2.0 and the Principle of Least Authority: Scoping What Agents Can Do", "url": "/articles/cross-cutting/mcp-oauth2-authorisation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/mcp-oauth2-authorisation/", "category": "cross-cutting", "tags": ["mcp","oauth2","authorisation","ai-security","identity"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "NIST PQC Standards in Practice: Implementing FIPS 203, 204, and 205 with liboqs and Rust", "url": "/articles/cross-cutting/nist-pqc-standards-implementation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/nist-pqc-standards-implementation/", "category": "cross-cutting", "tags": ["nist-pqc","ml-kem","ml-dsa","slh-dsa","liboqs"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Building a Security Policy for Your Open Source Project: SECURITY.md, CVE Workflow, and Community Trust", "url": "/articles/cross-cutting/oss-security-policy/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/oss-security-policy/", "category": "cross-cutting", "tags": ["open-source-security","security-policy","responsible-disclosure","cve","community-security"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Enterprise Passkey Rollout Security: Attestation, Recovery, and IdP Interop in Mixed Estates", "url": "/articles/cross-cutting/passkey-enterprise-rollout-security/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/passkey-enterprise-rollout-security/", "category": "cross-cutting", "tags": ["passkeys","webauthn","fido2","mfa","identity","attestation"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","identity-engineer"] }, { "title": "Seccomp as a Shared Kernel Attack Surface Limiter: Building Minimal Syscall Profiles", "url": "/articles/cross-cutting/seccomp-minimal-syscall-profiles/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/seccomp-minimal-syscall-profiles/", "category": "cross-cutting", "tags": ["seccomp","syscall","kernel","container-security","hardening"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Building a Unified AppSec Programme: Integrating SAST, SCA, Secret Scanning, and DAST", "url": "/articles/cross-cutting/unified-appsec-programme/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/unified-appsec-programme/", "category": "cross-cutting", "tags": ["appsec","sast","sca","dast","defectdojo"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "AI-Generated Kubernetes Operators vs. Maintained Open Source: The CVE Response Gap", "url": "/articles/kubernetes/ai-generated-operators-vs-open-source/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ai-generated-operators-vs-open-source/", "category": "kubernetes", "tags": ["operators","open-source","ai-code-generation","supply-chain","kubernetes"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Custom CodeQL Queries for Kubernetes Security: Scanning for RBAC Misconfigs, Pod Security Gaps, and Helm Secrets", "url": "/articles/kubernetes/codeql-kubernetes-security-queries/", "full_url": "https://www.systemshardening.com/articles/kubernetes/codeql-kubernetes-security-queries/", "category": "kubernetes", "tags": ["codeql","kubernetes-security","sast","rbac","code-scanning"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "containerd CVE-2022-23648: Path Traversal That Exposed the Host Filesystem", "url": "/articles/kubernetes/containerd-cve-2022-23648-path-traversal/", "full_url": "https://www.systemshardening.com/articles/kubernetes/containerd-cve-2022-23648-path-traversal/", "category": "kubernetes", "tags": ["cve","containerd","path-traversal","container-escape","kubernetes"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Agentic Bot Detection at Kubernetes Ingress: Envoy ext_authz Scoring for LLM-Driven Traffic", "url": "/articles/kubernetes/kubernetes-agentic-bot-defence/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-agentic-bot-defence/", "category": "kubernetes", "tags": ["envoy","bot-detection","kubernetes","ingress","agentic-ai"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Kubernetes Dynamic Resource Allocation (DRA) Security Hardening", "url": "/articles/kubernetes/kubernetes-dra-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-dra-security/", "category": "kubernetes", "tags": ["kubernetes","dra","resourceclaim","gpu","device-driver","rbac"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "Kubernetes In-Place Pod Resize Security: Admission Policy and Resource-Cap Enforcement on 1.33+", "url": "/articles/kubernetes/kubernetes-in-place-pod-resize-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-in-place-pod-resize-security/", "category": "kubernetes", "tags": ["kubernetes","pod-resize","admission-control","resource-quotas","vpa","cve"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "LLM Agents with kubectl Access: Prompt Injection from Logs and Manifests into Cluster Compromise", "url": "/articles/kubernetes/kubernetes-llm-agent-access-hardening/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-llm-agent-access-hardening/", "category": "kubernetes", "tags": ["llm-agents","prompt-injection","kubernetes","rbac","ai-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "MCP Servers in Kubernetes: RBAC Scoping and Network Isolation for Agent Tool Backends", "url": "/articles/kubernetes/kubernetes-mcp-server-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-mcp-server-security/", "category": "kubernetes", "tags": ["mcp","kubernetes","rbac","network-policy","ai-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Kubernetes Operator Security Disclosure: Reporting and Responding to Vulnerabilities in Custom Controllers", "url": "/articles/kubernetes/kubernetes-operator-security-disclosure/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-operator-security-disclosure/", "category": "kubernetes", "tags": ["kubernetes-security","operator-security","responsible-disclosure","cve","open-source-security"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Post-Quantum Certificate Management in Kubernetes: Migrating Cluster PKI to Hybrid Certificates", "url": "/articles/kubernetes/kubernetes-post-quantum-pki/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-post-quantum-pki/", "category": "kubernetes", "tags": ["post-quantum","kubernetes-pki","cert-manager","hybrid-certificates","spiffe"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "runc CVE-2019-5736: Overwriting the Container Runtime from Inside a Container", "url": "/articles/kubernetes/runc-container-escape-cve-2019-5736/", "full_url": "https://www.systemshardening.com/articles/kubernetes/runc-container-escape-cve-2019-5736/", "category": "kubernetes", "tags": ["cve","container-escape","runc","kernel","privilege-escalation"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "AI-Generated System Code vs. the Linux Kernel's 30-Year Audit Trail", "url": "/articles/linux/ai-generated-vs-open-source-kernel/", "full_url": "https://www.systemshardening.com/articles/linux/ai-generated-vs-open-source-kernel/", "category": "linux", "tags": ["open-source","ai-code-generation","kernel","supply-chain","security-engineering"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Dirty Pipe (CVE-2022-0847): Writing to Read-Only Files Inside Containers", "url": "/articles/linux/dirty-pipe-container-escape/", "full_url": "https://www.systemshardening.com/articles/linux/dirty-pipe-container-escape/", "category": "linux", "tags": ["cve","container-escape","kernel","privilege-escalation","linux"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI-Discovered Linux LPE Chains: Patch Prioritisation and Kernel Hardening for the Fuzzer Era", "url": "/articles/linux/linux-ai-discovered-lpe-defence/", "full_url": "https://www.systemshardening.com/articles/linux/linux-ai-discovered-lpe-defence/", "category": "linux", "tags": ["kernel","privilege-escalation","ai-fuzzing","patch-management","hardening"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux BPF Token: Delegated Unprivileged eBPF Without CAP_BPF on the Host", "url": "/articles/linux/linux-bpf-token-unprivileged-ebpf/", "full_url": "https://www.systemshardening.com/articles/linux/linux-bpf-token-unprivileged-ebpf/", "category": "linux", "tags": ["ebpf","bpf-token","user-namespaces","capabilities","kernel","linux"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Linux kexec Hardening: Signed Kernel Loading and Lockdown Integration", "url": "/articles/linux/linux-kexec-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-kexec-hardening/", "category": "linux", "tags": ["kexec","kernel","lockdown","secure-boot","kdump","linux"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Residential Proxy Networks and Kernel-Level Bot Mitigation: nftables Rate-Limiting at the Host Edge", "url": "/articles/linux/linux-residential-proxy-bot-mitigation/", "full_url": "https://www.systemshardening.com/articles/linux/linux-residential-proxy-bot-mitigation/", "category": "linux", "tags": ["nftables","bot-mitigation","residential-proxy","kernel","rate-limiting"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "MCP Server Hardening on Linux: Filesystem Scoping and Process Isolation", "url": "/articles/linux/mcp-server-linux-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/mcp-server-linux-hardening/", "category": "linux", "tags": ["mcp","process-isolation","seccomp","linux","ai-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Open Source Security Release Process: CVE Assignment, Coordinated Disclosure, and Patching Linux Tools", "url": "/articles/linux/oss-security-release-process/", "full_url": "https://www.systemshardening.com/articles/linux/oss-security-release-process/", "category": "linux", "tags": ["open-source-security","cve-assignment","responsible-disclosure","security-release","vulnerability-management"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Post-Quantum SSH: Hybrid ML-KEM Key Exchange and ML-DSA Host Keys with OpenSSH 9.0+", "url": "/articles/linux/post-quantum-ssh-openssh/", "full_url": "https://www.systemshardening.com/articles/linux/post-quantum-ssh-openssh/", "category": "linux", "tags": ["post-quantum","ssh","openssh","ml-kem","hybrid-cryptography"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Securing the Code Scanning Environment: Preventing Scan Bypass and Result Tampering on Linux", "url": "/articles/linux/secure-code-scanning-environment/", "full_url": "https://www.systemshardening.com/articles/linux/secure-code-scanning-environment/", "category": "linux", "tags": ["code-scanning","build-security","sast","environment-hardening","supply-chain"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "User Namespace Privilege Escalation: CVE-2023-32233 and the Netlink Attack Chain", "url": "/articles/linux/user-namespace-cve-2023-32233/", "full_url": "https://www.systemshardening.com/articles/linux/user-namespace-cve-2023-32233/", "category": "linux", "tags": ["cve","user-namespaces","kernel","privilege-escalation","netfilter"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AF_PACKET and CAP_NET_RAW: Two Kernel CVEs That Made the Default Docker Capability Set Dangerous", "url": "/articles/network/af-packet-cap-net-raw-container-escape/", "full_url": "https://www.systemshardening.com/articles/network/af-packet-cap-net-raw-container-escape/", "category": "network", "tags": ["cve","cap-net-raw","af-packet","container-escape","kernel"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Never Reimplement Crypto: Why AI-Generated TLS and Network Stacks Are Categorically Unsafe", "url": "/articles/network/ai-generated-crypto-vs-open-source/", "full_url": "https://www.systemshardening.com/articles/network/ai-generated-crypto-vs-open-source/", "category": "network", "tags": ["cryptography","open-source","tls","ai-code-generation","network-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI-Generated Polymorphic Payloads and the Death of Signature WAFs", "url": "/articles/network/ai-generated-traffic-waf-defence/", "full_url": "https://www.systemshardening.com/articles/network/ai-generated-traffic-waf-defence/", "category": "network", "tags": ["waf","ai-attacks","bot-defence","payload-polymorphism","network-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "API Schema Security Scanning: Detecting Auth Gaps, Injection Risks, and Data Exposure in OpenAPI and Protobuf", "url": "/articles/network/api-schema-security-scanning/", "full_url": "https://www.systemshardening.com/articles/network/api-schema-security-scanning/", "category": "network", "tags": ["api-security","openapi","schema-scanning","sast","grpc-security"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "JA4 Fingerprint Evasion: The uTLS Arms Race and Detection Beyond TLS Fingerprinting", "url": "/articles/network/ja4-fingerprint-evasion-bot-detection/", "full_url": "https://www.systemshardening.com/articles/network/ja4-fingerprint-evasion-bot-detection/", "category": "network", "tags": ["tls-fingerprinting","ja4","bot-detection","utls","network-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "MASQUE and CONNECT-UDP Proxy Hardening: Production Egress Gateways for HTTP/3 Traffic", "url": "/articles/network/masque-connect-udp-proxy-hardening/", "full_url": "https://www.systemshardening.com/articles/network/masque-connect-udp-proxy-hardening/", "category": "network", "tags": ["masque","connect-udp","http3","quic","proxy","egress"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["network-engineer","security-engineer","platform-engineer"] }, { "title": "MASQUE and CONNECT-UDP Proxy Security Hardening", "url": "/articles/network/masque-connect-udp-proxy-security/", "full_url": "https://www.systemshardening.com/articles/network/masque-connect-udp-proxy-security/", "category": "network", "tags": ["masque","connect-udp","http3","quic","proxy","egress"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","network-engineer","platform-engineer"] }, { "title": "MCP Transport Security: Closing the Authentication Gap in SSE and HTTP Transports", "url": "/articles/network/mcp-transport-security/", "full_url": "https://www.systemshardening.com/articles/network/mcp-transport-security/", "category": "network", "tags": ["mcp","tls","oauth","authentication","network-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Netfilter CVE-2022-1015 and CVE-2022-1016: Kernel Heap Overflow from Container Network Rules", "url": "/articles/network/netfilter-container-escape-cve-2022-1015/", "full_url": "https://www.systemshardening.com/articles/network/netfilter-container-escape-cve-2022-1015/", "category": "network", "tags": ["cve","container-escape","netfilter","kernel","network-namespace"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Disclosing Vulnerabilities in Open Source Networking Software: Nginx, HAProxy, and Envoy", "url": "/articles/network/oss-network-software-disclosure/", "full_url": "https://www.systemshardening.com/articles/network/oss-network-software-disclosure/", "category": "network", "tags": ["open-source-security","nginx","haproxy","envoy","responsible-disclosure"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Post-Quantum TLS 1.3 in Production: Deploying X25519+ML-KEM-768 with OpenSSL 3.5, NGINX, and HAProxy", "url": "/articles/network/tls-post-quantum-hybrid-deployment/", "full_url": "https://www.systemshardening.com/articles/network/tls-post-quantum-hybrid-deployment/", "category": "network", "tags": ["post-quantum","tls-1-3","openssl","ml-kem","hybrid-key-exchange"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Detecting LLM-Driven Bots Through Observability: Signals That Survive AI Mimicry", "url": "/articles/observability/agentic-bot-detection-observability/", "full_url": "https://www.systemshardening.com/articles/observability/agentic-bot-detection-observability/", "category": "observability", "tags": ["bot-detection","observability","agentic-ai","siem","behavioral-analytics"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI-Fabricated Log Evidence: Defending Forensic Pipelines Against LLM-Generated Log Forgery", "url": "/articles/observability/ai-fabricated-log-forensics-detection/", "full_url": "https://www.systemshardening.com/articles/observability/ai-fabricated-log-forensics-detection/", "category": "observability", "tags": ["log-integrity","forensics","ai-attacks","siem","audit-logs"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI-Generated Monitoring vs. Open Source Observability Standards: The Ecosystem Argument", "url": "/articles/observability/ai-generated-vs-open-source-observability/", "full_url": "https://www.systemshardening.com/articles/observability/ai-generated-vs-open-source-observability/", "category": "observability", "tags": ["opentelemetry","prometheus","open-source","ai-code-generation","observability"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "eBPF Verifier Bugs: Privilege Escalation from Container Observability Tools", "url": "/articles/observability/ebpf-verifier-privilege-escalation/", "full_url": "https://www.systemshardening.com/articles/observability/ebpf-verifier-privilege-escalation/", "category": "observability", "tags": ["ebpf","cve","privilege-escalation","kernel","container-escape"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Frontend RUM Security: Grafana Faro, Session Replay, and Browser Telemetry", "url": "/articles/observability/frontend-rum-security-grafana-faro/", "full_url": "https://www.systemshardening.com/articles/observability/frontend-rum-security-grafana-faro/", "category": "observability", "tags": ["rum","grafana-faro","session-replay","browser","pii","observability"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "Detecting Harvest-Now-Decrypt-Later: Monitoring for Quantum-Era Adversary Collection", "url": "/articles/observability/harvest-now-decrypt-later-detection/", "full_url": "https://www.systemshardening.com/articles/observability/harvest-now-decrypt-later-detection/", "category": "observability", "tags": ["harvest-now-decrypt-later","quantum-security","threat-detection","network-monitoring","advanced-persistent-threat"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Auditing MCP Tool Calls: Building the Forensic Trail for Agent Actions", "url": "/articles/observability/mcp-tool-call-audit-logging/", "full_url": "https://www.systemshardening.com/articles/observability/mcp-tool-call-audit-logging/", "category": "observability", "tags": ["mcp","audit-logging","forensics","observability","ai-security"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Security Issues in Observability Tooling: Reporting Vulnerabilities in Prometheus, Grafana, and Elasticsearch", "url": "/articles/observability/oss-observability-security-disclosure/", "full_url": "https://www.systemshardening.com/articles/observability/oss-observability-security-disclosure/", "category": "observability", "tags": ["open-source-security","prometheus","grafana","elasticsearch","responsible-disclosure"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "OpenTelemetry Profiles Signal Security: PII Leakage, Access Control, and Symbolisation Pipelines", "url": "/articles/observability/otel-profiles-signal-security/", "full_url": "https://www.systemshardening.com/articles/observability/otel-profiles-signal-security/", "category": "observability", "tags": ["opentelemetry","profiles","continuous-profiling","pii","ebpf","pyroscope"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "perf_event_open and Kernel Profiling as an Attack Surface: CVE-2023-2235 and Hardening Paranoid Mode", "url": "/articles/observability/perf-event-kernel-attack-surface/", "full_url": "https://www.systemshardening.com/articles/observability/perf-event-kernel-attack-surface/", "category": "observability", "tags": ["perf","cve","kernel","profiling","privilege-escalation"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Correlating SAST Findings with Runtime Behaviour: Prioritising Reachable Vulnerabilities", "url": "/articles/observability/sast-runtime-correlation/", "full_url": "https://www.systemshardening.com/articles/observability/sast-runtime-correlation/", "category": "observability", "tags": ["sast","runtime-analysis","vulnerability-prioritisation","opentelemetry","code-scanning"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "AI-Generated WASM Runtimes vs. Wasmtime and WasmEdge: Why Implementation Correctness Is the Security Model", "url": "/articles/wasm/ai-generated-wasm-runtime-risk/", "full_url": "https://www.systemshardening.com/articles/wasm/ai-generated-wasm-runtime-risk/", "category": "wasm", "tags": ["webassembly","wasmtime","open-source","runtime-security","ai-code-generation"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASI Preview 2 and the Component Model: What Capability-Based Isolation Actually Prevents", "url": "/articles/wasm/wasi-preview2-capability-isolation/", "full_url": "https://www.systemshardening.com/articles/wasm/wasi-preview2-capability-isolation/", "category": "wasm", "tags": ["wasi","webassembly","capability-security","isolation","wasmtime"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Bot Challenges: The Reverse-Engineering Arms Race and Integrity Controls", "url": "/articles/wasm/wasm-bot-challenge-integrity/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-bot-challenge-integrity/", "category": "wasm", "tags": ["webassembly","bot-detection","cloudflare","reverse-engineering","browser-integrity"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Hybrid PQC Key Encapsulation in Browser WASM: ML-KEM Integration for End-to-End Encrypted Web Applications", "url": "/articles/wasm/wasm-browser-pqc-key-encapsulation/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-browser-pqc-key-encapsulation/", "category": "wasm", "tags": ["wasm","post-quantum","ml-kem","webcrypto","browser-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM as Kernel-Independent Isolation: CVE-2023-26114 and the Residual Shared-Kernel Risk", "url": "/articles/wasm/wasm-kernel-independent-isolation/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-kernel-independent-isolation/", "category": "wasm", "tags": ["webassembly","cve","isolation","kernel","wasmtime"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "On-Device WASM Model Extraction: Defending Transformers.js and ONNX-WASM Against Weight Stealing", "url": "/articles/wasm/wasm-on-device-llm-extraction-defence/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-on-device-llm-extraction-defence/", "category": "wasm", "tags": ["webassembly","model-extraction","on-device-ai","transformers-js","model-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Runtime Security Disclosures: Tracking and Responding to Wasmtime, V8, and WasmEdge CVEs", "url": "/articles/wasm/wasm-runtime-security-disclosures/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-runtime-security-disclosures/", "category": "wasm", "tags": ["wasm-runtime","wasmtime","security-disclosure","cve","sandbox-security"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM-Sandboxed MCP Tool Implementations: Containing the Blast Radius of Agent Tool Execution", "url": "/articles/wasm/wasm-sandboxed-mcp-tools/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-sandboxed-mcp-tools/", "category": "wasm", "tags": ["webassembly","mcp","extism","sandboxing","ai-security"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Security Scanning for WebAssembly: SAST for Rust Source and Binary Analysis of Compiled Modules", "url": "/articles/wasm/wasm-security-scanning-pipeline/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-security-scanning-pipeline/", "category": "wasm", "tags": ["wasm","security-scanning","sast","cargo-audit","supply-chain"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WebAssembly Spectre and Side-Channel Mitigations: Wasmtime, V8, and Runtime-Level Hardening", "url": "/articles/wasm/wasm-spectre-side-channel-mitigations/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-spectre-side-channel-mitigations/", "category": "wasm", "tags": ["wasm","spectre","side-channel","wasmtime","v8","transient-execution"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-08T00:00:00.000Z", "personas": ["security-engineer","systems-engineer","platform-engineer"] }, { "title": "Wasmtime Pulley Interpreter Security Hardening", "url": "/articles/wasm/wasmtime-pulley-interpreter-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasmtime-pulley-interpreter-security/", "category": "wasm", "tags": ["wasmtime","pulley","interpreter","wasm","sandboxing","embedded"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-08T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "AI-Augmented Anti-Money Laundering: Graph Networks, Synthetic Identity, and Adversarial Robustness", "url": "/articles/ai-landscape/ai-anti-money-laundering/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-anti-money-laundering/", "category": "ai-landscape", "tags": ["aml","graph-neural-networks","synthetic-identity","fraud-detection","adversarial-ml"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","ml-engineer"] }, { "title": "Securing AI Model Fine-Tuning Pipelines: Dataset Poisoning, Backdoor Attacks, and Supply Chain Risks", "url": "/articles/ai-landscape/ai-model-finetuning-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-model-finetuning-security/", "category": "ai-landscape", "tags": ["fine-tuning","model-backdoor","dataset-poisoning","mlops-security","supply-chain"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","ml-engineer"] }, { "title": "AI Red Teams and Container Security: What the Benchmarks Mean for Architecture", "url": "/articles/ai-landscape/ai-red-team-container-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-red-team-container-security/", "category": "ai-landscape", "tags": ["ai-red-team","container-security","vulnerability-discovery","gvisor","threat-model"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI SBOM and Model Provenance Tracking", "url": "/articles/ai-landscape/ai-sbom-model-provenance/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-sbom-model-provenance/", "category": "ai-landscape", "tags": ["sbom","model-provenance","supply-chain","sigstore","mlops-security"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","compliance-engineer"] }, { "title": "Confidential AI Inference: Protecting Model Weights and User Data with TEEs", "url": "/articles/ai-landscape/confidential-ai-inference/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/confidential-ai-inference/", "category": "ai-landscape", "tags": ["confidential-computing","tee","intel-tdx","amd-sev","model-privacy"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "LiteLLM Proxy Pre-Auth SQL Injection: CVE-2026-42208", "url": "/articles/ai-landscape/litellm-sql-injection-proxy/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/litellm-sql-injection-proxy/", "category": "ai-landscape", "tags": ["litellm","sql-injection","llm-proxy","cve","credential-theft"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-07T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "RAG Pipeline Security: Hardening Retrieval-Augmented Generation from Ingestion to Response", "url": "/articles/ai-landscape/rag-pipeline-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/rag-pipeline-security/", "category": "ai-landscape", "tags": ["rag","vector-database","prompt-injection","data-poisoning","llm-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI-Assisted Vulnerability Discovery in CI/CD Pipelines", "url": "/articles/cicd/ai-sast-cicd-vulnerability-discovery/", "full_url": "https://www.systemshardening.com/articles/cicd/ai-sast-cicd-vulnerability-discovery/", "category": "cicd", "tags": ["ai-security","sast","vulnerability-discovery","cicd","llm"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AWS CodePipeline and CodeBuild Security Hardening", "url": "/articles/cicd/aws-codepipeline-codebuild-security/", "full_url": "https://www.systemshardening.com/articles/cicd/aws-codepipeline-codebuild-security/", "category": "cicd", "tags": ["aws","codepipeline","codebuild","iam-security","pipeline-security"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Azure DevOps and Azure Pipelines Security Hardening", "url": "/articles/cicd/azure-devops-pipeline-security/", "full_url": "https://www.systemshardening.com/articles/cicd/azure-devops-pipeline-security/", "category": "cicd", "tags": ["azure-devops","azure-pipelines","service-connections","oidc","pipeline-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Bazel Build System Security: Remote Execution, bzlmod, and Hermetic Hardening", "url": "/articles/cicd/bazel-build-security/", "full_url": "https://www.systemshardening.com/articles/cicd/bazel-build-security/", "category": "cicd", "tags": ["bazel","remote-execution","build-security","hermetic-builds","bzlmod"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Docker BuildKit Cache Security: Preventing Cache Poisoning in CI/CD", "url": "/articles/cicd/buildkit-cache-security/", "full_url": "https://www.systemshardening.com/articles/cicd/buildkit-cache-security/", "category": "cicd", "tags": ["buildkit","docker","cache-poisoning","container-build","supply-chain"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Securing CD Promotion Gates and Approval Workflows", "url": "/articles/cicd/cd-promotion-gates-approvals/", "full_url": "https://www.systemshardening.com/articles/cicd/cd-promotion-gates-approvals/", "category": "cicd", "tags": ["continuous-delivery","deployment-gates","approval-workflows","change-management","four-eyes-principle"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Monitoring CI/CD Pipelines for Security Anomalies and Pipeline Tampering", "url": "/articles/cicd/cicd-pipeline-anomaly-detection/", "full_url": "https://www.systemshardening.com/articles/cicd/cicd-pipeline-anomaly-detection/", "category": "cicd", "tags": ["pipeline-monitoring","anomaly-detection","audit-logs","supply-chain-security","siem"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "CircleCI Security Hardening: Contexts, OIDC, and Runner Isolation", "url": "/articles/cicd/circleci-security-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/circleci-security-hardening/", "category": "cicd", "tags": ["circleci","ci-security","context-security","pipeline-security","oidc"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Container Image Provenance Attestations: SLSA and SBOM Attestation End-to-End", "url": "/articles/cicd/container-image-attestations/", "full_url": "https://www.systemshardening.com/articles/cicd/container-image-attestations/", "category": "cicd", "tags": ["attestations","slsa","cosign","sbom","provenance"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Container Vulnerability Scanning in CI/CD Pipelines: Trivy, Grype, and Policy Enforcement", "url": "/articles/cicd/container-vulnerability-scanning-ci/", "full_url": "https://www.systemshardening.com/articles/cicd/container-vulnerability-scanning-ci/", "category": "cicd", "tags": ["vulnerability-scanning","trivy","grype","container-security","shift-left"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Replacing Long-Lived CI/CD Cloud Credentials with Ephemeral OIDC Tokens", "url": "/articles/cicd/ephemeral-cloud-credentials-cicd/", "full_url": "https://www.systemshardening.com/articles/cicd/ephemeral-cloud-credentials-cicd/", "category": "cicd", "tags": ["oidc","ephemeral-credentials","aws-irsa","workload-identity","zero-trust"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "GitHub Actions Self-Hosted Runner Hardening: Registration, Isolation, and Ephemeral Patterns", "url": "/articles/cicd/github-actions-self-hosted-runner/", "full_url": "https://www.systemshardening.com/articles/cicd/github-actions-self-hosted-runner/", "category": "cicd", "tags": ["github-actions","self-hosted-runner","ci-security","ephemeral-runners","network-isolation"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "GitLab GraphQL CSRF: CVE-2026-4922 and Insufficient Token Validation", "url": "/articles/cicd/gitlab-graphql-csrf/", "full_url": "https://www.systemshardening.com/articles/cicd/gitlab-graphql-csrf/", "category": "cicd", "tags": ["gitlab","csrf","graphql","cve","web-security"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-07T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Go Module Supply Chain Security: Proxy, Checksums, govulncheck, and Private Modules", "url": "/articles/cicd/go-module-supply-chain-security/", "full_url": "https://www.systemshardening.com/articles/cicd/go-module-supply-chain-security/", "category": "cicd", "tags": ["golang","go-modules","supply-chain","govulncheck","module-proxy"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "IaC Security Scanning in CI/CD: Checkov, tfsec, and Policy-as-Code for Terraform, CloudFormation, Kubernetes, and Helm", "url": "/articles/cicd/iac-security-scanning-cicd/", "full_url": "https://www.systemshardening.com/articles/cicd/iac-security-scanning-cicd/", "category": "cicd", "tags": ["iac-security","checkov","tfsec","terraform","policy-as-code"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Infrastructure Drift Detection: Closing the Gap Between IaC State and Live Infrastructure", "url": "/articles/cicd/infrastructure-drift-detection/", "full_url": "https://www.systemshardening.com/articles/cicd/infrastructure-drift-detection/", "category": "cicd", "tags": ["drift-detection","terraform","gitops","infrastructure-as-code","compliance"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Kubernetes Manifest Validation in CI: Catching Security Issues Before Deployment", "url": "/articles/cicd/kubernetes-manifest-validation-ci/", "full_url": "https://www.systemshardening.com/articles/cicd/kubernetes-manifest-validation-ci/", "category": "cicd", "tags": ["kubernetes","manifest-validation","kyverno","conftest","policy-as-code"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Automating License Compliance Checks in CI/CD Pipelines", "url": "/articles/cicd/license-compliance-cicd/", "full_url": "https://www.systemshardening.com/articles/cicd/license-compliance-cicd/", "category": "cicd", "tags": ["license-compliance","sbom","open-source-compliance","legal-risk","supply-chain"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Maven and Gradle Build Security: Supply Chain Hardening for Java/JVM Projects", "url": "/articles/cicd/maven-gradle-build-security/", "full_url": "https://www.systemshardening.com/articles/cicd/maven-gradle-build-security/", "category": "cicd", "tags": ["maven","gradle","java-security","dependency-verification","artifact-signing"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Securing Docker Multi-Stage Builds to Minimise Attack Surface in Production Images", "url": "/articles/cicd/multistage-docker-build-security/", "full_url": "https://www.systemshardening.com/articles/cicd/multistage-docker-build-security/", "category": "cicd", "tags": ["docker","multistage-builds","container-hardening","minimal-images","dockerfile-security"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Pre-Commit Hooks for Security Enforcement in Development Workflows", "url": "/articles/cicd/pre-commit-security-hooks/", "full_url": "https://www.systemshardening.com/articles/cicd/pre-commit-security-hooks/", "category": "cicd", "tags": ["pre-commit","git-hooks","developer-security","shift-left","secret-detection"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Pulumi Security Hardening: State, Secrets, CrossGuard, and OIDC Authentication", "url": "/articles/cicd/pulumi-security-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/pulumi-security-hardening/", "category": "cicd", "tags": ["pulumi","iac-security","state-management","secrets-management","infrastructure-as-code"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Python Packaging Security in CI/CD Pipelines", "url": "/articles/cicd/python-packaging-security-ci/", "full_url": "https://www.systemshardening.com/articles/cicd/python-packaging-security-ci/", "category": "cicd", "tags": ["python","pypi","pip-audit","trusted-publishing","supply-chain"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Rust and Cargo Supply Chain Security: cargo-audit, cargo-deny, and Build Script Risks", "url": "/articles/cicd/rust-cargo-supply-chain-security/", "full_url": "https://www.systemshardening.com/articles/cicd/rust-cargo-supply-chain-security/", "category": "cicd", "tags": ["rust","cargo","supply-chain","cargo-audit","crates-io"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Integrating SAST into CI/CD Pipelines: Semgrep, CodeQL, and False Positive Management", "url": "/articles/cicd/sast-integration-cicd/", "full_url": "https://www.systemshardening.com/articles/cicd/sast-integration-cicd/", "category": "cicd", "tags": ["sast","semgrep","codeql","static-analysis","shift-left"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Secret Scanning in CI/CD Pipelines: Detecting Leaked Credentials Before They Cause Damage", "url": "/articles/cicd/secret-scanning-cicd/", "full_url": "https://www.systemshardening.com/articles/cicd/secret-scanning-cicd/", "category": "cicd", "tags": ["secret-scanning","gitleaks","trufflehog","pre-commit","credential-detection"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "SOX-Compliant Deployment Pipelines: Segregation of Duties and Immutable Change Evidence", "url": "/articles/cicd/sox-compliant-deployment-pipeline/", "full_url": "https://www.systemshardening.com/articles/cicd/sox-compliant-deployment-pipeline/", "category": "cicd", "tags": ["sox-compliance","segregation-of-duties","change-management","audit-trails","financial-systems"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","compliance-engineer"] }, { "title": "Enforcing Software Supply Chain Security Policies at Deploy Time", "url": "/articles/cicd/supply-chain-policy-deploy-time/", "full_url": "https://www.systemshardening.com/articles/cicd/supply-chain-policy-deploy-time/", "category": "cicd", "tags": ["supply-chain-security","policy-enforcement","admission-control","slsa","cosign"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "CI/CD Webhook Security Hardening: GitHub, GitLab, and Generic Receivers", "url": "/articles/cicd/webhook-security-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/webhook-security-hardening/", "category": "cicd", "tags": ["webhooks","hmac","github-webhooks","replay-prevention","pipeline-security"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "API Security Testing: DAST, Fuzzing, and Automated Security Validation for REST and gRPC", "url": "/articles/cross-cutting/api-security-testing/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/api-security-testing/", "category": "cross-cutting", "tags": ["api-security","dast","fuzzing","security-testing","owasp"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Audit Logging Architecture: Designing Tamper-Resistant, Compliance-Ready Audit Trails", "url": "/articles/cross-cutting/audit-logging-architecture/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/audit-logging-architecture/", "category": "cross-cutting", "tags": ["audit-logging","log-architecture","compliance","tamper-protection","siem"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","compliance-engineer"] }, { "title": "Backup and Recovery Security: Protecting Your Last Line of Defence Against Ransomware", "url": "/articles/cross-cutting/backup-recovery-security/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/backup-recovery-security/", "category": "cross-cutting", "tags": ["backup-security","ransomware-defence","disaster-recovery","immutable-storage","business-continuity"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Certificate Lifecycle Management: From Issuance to Renewal and Revocation", "url": "/articles/cross-cutting/certificate-lifecycle-management/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/certificate-lifecycle-management/", "category": "cross-cutting", "tags": ["certificates","pki","cert-manager","acme","lifecycle-management"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Container Security Across the SDLC: From Dockerfile to Production", "url": "/articles/cross-cutting/container-security-sdlc/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/container-security-sdlc/", "category": "cross-cutting", "tags": ["container-security","sdlc","shift-left","devsecops","supply-chain"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Cryptographic Agility: Designing Systems to Survive Algorithm Transitions", "url": "/articles/cross-cutting/cryptographic-agility/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/cryptographic-agility/", "category": "cross-cutting", "tags": ["cryptographic-agility","post-quantum","algorithm-negotiation","key-management","crypto-design"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Cryptographic Key Hierarchy Design: Root Keys, Intermediate Keys, and Data Encryption Keys", "url": "/articles/cross-cutting/cryptographic-key-hierarchy/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/cryptographic-key-hierarchy/", "category": "cross-cutting", "tags": ["key-management","cryptography","envelope-encryption","kms","hsm"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Data Classification and Secure Handling: From Taxonomy to Technical Controls", "url": "/articles/cross-cutting/data-classification-handling/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/data-classification-handling/", "category": "cross-cutting", "tags": ["data-classification","data-handling","privacy","gdpr","information-security"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","compliance-engineer"] }, { "title": "DORA Technical Implementation: ICT Risk Management, Resilience Testing, and Third-Party Oversight", "url": "/articles/cross-cutting/dora-technical-implementation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/dora-technical-implementation/", "category": "cross-cutting", "tags": ["dora","financial-resilience","ict-risk","regulatory-compliance","penetration-testing"], "difficulty": "Intermediate", "reading_time_minutes": 14, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","compliance-engineer"] }, { "title": "Firecracker VMM Attack Surface: CVE-2026-5747 and the Limits of Minimal VMs", "url": "/articles/cross-cutting/firecracker-vmm-attack-surface/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/firecracker-vmm-attack-surface/", "category": "cross-cutting", "tags": ["firecracker","vmm","virtio","cve","container-isolation"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Hardening Baseline Automation: Enforcing and Verifying Security Configuration at Scale", "url": "/articles/cross-cutting/hardening-baseline-automation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/hardening-baseline-automation/", "category": "cross-cutting", "tags": ["hardening-baseline","cis-benchmarks","compliance-automation","ansible","configuration-management"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "IAM Maturity Model: Assessing and Advancing Identity and Access Management Capabilities", "url": "/articles/cross-cutting/iam-maturity-model/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/iam-maturity-model/", "category": "cross-cutting", "tags": ["iam","maturity-model","access-management","least-privilege","identity-governance"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Identity Federation Security: Trust, Attribute Mapping, and Cross-Domain Access", "url": "/articles/cross-cutting/identity-federation-security/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/identity-federation-security/", "category": "cross-cutting", "tags": ["identity-federation","saml","oidc","sso","trust-hierarchy"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Multi-Tenancy Security Patterns: Isolation, Data Separation, and Cross-Tenant Protections", "url": "/articles/cross-cutting/multi-tenancy-security-patterns/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/multi-tenancy-security-patterns/", "category": "cross-cutting", "tags": ["multi-tenancy","tenant-isolation","saas-security","data-isolation","access-control"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Network Security Architecture: Zones, Segmentation, and Defence-in-Depth Design", "url": "/articles/cross-cutting/network-security-architecture/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/network-security-architecture/", "category": "cross-cutting", "tags": ["network-architecture","network-segmentation","zero-trust","defence-in-depth","firewall-design"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "OpenSSL RSASVE Uninitialized Memory Disclosure: CVE-2026-31790", "url": "/articles/cross-cutting/openssl-rsasve-memory-disclosure/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/openssl-rsasve-memory-disclosure/", "category": "cross-cutting", "tags": ["openssl","memory-disclosure","cve","key-encapsulation","cryptography"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Privileged Access Workstations: Isolating Administrative Credentials from Everyday Risk", "url": "/articles/cross-cutting/privileged-access-workstation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/privileged-access-workstation/", "category": "cross-cutting", "tags": ["paw","privileged-access","admin-security","workstation-hardening","zero-trust"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "RBAC Design Patterns: Building Maintainable, Least-Privilege Permission Systems", "url": "/articles/cross-cutting/rbac-design-patterns/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/rbac-design-patterns/", "category": "cross-cutting", "tags": ["rbac","access-control","least-privilege","policy-as-code","identity"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Secret Sprawl Detection and Remediation: Finding and Eliminating Credentials Across Your Infrastructure", "url": "/articles/cross-cutting/secret-sprawl-detection/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/secret-sprawl-detection/", "category": "cross-cutting", "tags": ["secret-sprawl","credential-detection","secrets-management","gitleaks","vault"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Secure Architecture Patterns: Defence-in-Depth, Least Privilege, and Fail-Safe Defaults", "url": "/articles/cross-cutting/secure-architecture-patterns/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/secure-architecture-patterns/", "category": "cross-cutting", "tags": ["secure-architecture","defence-in-depth","least-privilege","security-design","threat-modeling"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Security Automation and SOAR: Scaling Security Operations Without Scaling Headcount", "url": "/articles/cross-cutting/security-automation-soar/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/security-automation-soar/", "category": "cross-cutting", "tags": ["soar","security-automation","playbooks","incident-response","alert-triage"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Security Champions Programme: Embedding Security Knowledge in Engineering Teams", "url": "/articles/cross-cutting/security-champions-program/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/security-champions-program/", "category": "cross-cutting", "tags": ["security-champions","devSecOps","security-culture","training","shift-left"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Security Debt Management: Prioritising, Tracking, and Reducing Accumulated Risk", "url": "/articles/cross-cutting/security-debt-management/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/security-debt-management/", "category": "cross-cutting", "tags": ["security-debt","risk-management","vulnerability-management","technical-debt","prioritisation"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Security Training for Developers: Building Skills That Prevent Vulnerabilities at Source", "url": "/articles/cross-cutting/security-developer-training/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/security-developer-training/", "category": "cross-cutting", "tags": ["security-training","developer-education","secure-coding","appsec","security-culture"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Security Incident Communication: Internal Escalation and External Disclosure", "url": "/articles/cross-cutting/security-incident-communication/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/security-incident-communication/", "category": "cross-cutting", "tags": ["incident-communication","breach-notification","gdpr","incident-response","crisis-communication"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Security Programme Governance: Policies, Metrics, Reporting, and Organisational Structure", "url": "/articles/cross-cutting/security-programme-governance/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/security-programme-governance/", "category": "cross-cutting", "tags": ["security-governance","security-programme","risk-management","security-metrics","ciso"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Service Account Security: Hardening Non-Human Identities Across Cloud and Kubernetes", "url": "/articles/cross-cutting/service-account-security/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/service-account-security/", "category": "cross-cutting", "tags": ["service-accounts","workload-identity","oidc","least-privilege","non-human-identity"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Shadow IT Detection: Finding and Managing Unauthorised Services and Infrastructure", "url": "/articles/cross-cutting/shadow-it-detection/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/shadow-it-detection/", "category": "cross-cutting", "tags": ["shadow-it","saas-discovery","asset-discovery","dns-security","governance"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Supply Chain Risk Management: A Programme for Third-Party Software and Dependency Risk", "url": "/articles/cross-cutting/supply-chain-risk-management/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/supply-chain-risk-management/", "category": "cross-cutting", "tags": ["supply-chain","third-party-risk","sbom","dependency-security","risk-management"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Building a Threat Intelligence Programme: From Feed Consumption to Actionable Decisions", "url": "/articles/cross-cutting/threat-intelligence-program/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/threat-intelligence-program/", "category": "cross-cutting", "tags": ["threat-intelligence","misp","ioc","mitre-attack","threat-hunting"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Argo CD Secret Extraction via Read-Only Access: CVE-2026-42880", "url": "/articles/kubernetes/argocd-secret-extraction-readonly/", "full_url": "https://www.systemshardening.com/articles/kubernetes/argocd-secret-extraction-readonly/", "category": "kubernetes", "tags": ["argocd","secrets","cve","rbac","gitops"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-07T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Hardening Kubernetes Against LLM-Automated Container Escapes", "url": "/articles/kubernetes/kubernetes-llm-escape-hardening/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-llm-escape-hardening/", "category": "kubernetes", "tags": ["container-escape","ai-security","pod-security","privileged-containers","kubernetes"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Kubernetes PCI DSS Compliance: Scope Reduction, Network Isolation, and Audit Trails", "url": "/articles/kubernetes/kubernetes-pci-dss-compliance/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-pci-dss-compliance/", "category": "kubernetes", "tags": ["pci-dss","kubernetes","compliance","network-policy","cde"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","compliance-engineer"] }, { "title": "Linux Kernel ASLR, PIE, and Exploit Mitigation Hardening Beyond the Defaults", "url": "/articles/linux/linux-aslr-pie-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-aslr-pie-hardening/", "category": "linux", "tags": ["aslr","pie","exploit-mitigations","kernel-hardening","memory-safety"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Container Runtime Security: gVisor, Kata Containers, and crun Beyond runc", "url": "/articles/linux/linux-container-runtime-alternatives/", "full_url": "https://www.systemshardening.com/articles/linux/linux-container-runtime-alternatives/", "category": "linux", "tags": ["container-runtime","gvisor","kata-containers","sandboxing","isolation"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux Core Dump Security Hardening", "url": "/articles/linux/linux-core-dump-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-core-dump-hardening/", "category": "linux", "tags": ["core-dumps","memory-security","systemd-coredump","information-disclosure","ulimit"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux Cron and at Job Security Hardening", "url": "/articles/linux/linux-cron-at-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-cron-at-security/", "category": "linux", "tags": ["cron","scheduled-tasks","privilege-escalation","file-permissions","persistence"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","sysadmin"] }, { "title": "Linux D-Bus Security Hardening", "url": "/articles/linux/linux-dbus-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-dbus-hardening/", "category": "linux", "tags": ["dbus","polkit","ipc-security","privilege-escalation","systemd"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux Disk Quota Security: Preventing Storage-Based Denial of Service", "url": "/articles/linux/linux-disk-quota-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-disk-quota-security/", "category": "linux", "tags": ["disk-quotas","dos-prevention","resource-limits","multi-tenant","filesystem-security"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","sysadmin"] }, { "title": "Linux Entropy and RNG Security: Hardening Randomness from Boot to Application", "url": "/articles/linux/linux-entropy-rng-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-entropy-rng-security/", "category": "linux", "tags": ["entropy","rng","cryptography","getrandom","tpm"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux fanotify for Real-Time Filesystem Security Monitoring", "url": "/articles/linux/linux-fanotify-security-monitoring/", "full_url": "https://www.systemshardening.com/articles/linux/linux-fanotify-security-monitoring/", "category": "linux", "tags": ["fanotify","inotify","file-integrity","intrusion-detection","ebpf"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux File Immutability with chattr: Protecting Critical System Files Against Root Compromise", "url": "/articles/linux/linux-file-immutability-chattr/", "full_url": "https://www.systemshardening.com/articles/linux/linux-file-immutability-chattr/", "category": "linux", "tags": ["chattr","file-immutability","extended-attributes","tamper-prevention","intrusion-detection"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","sysadmin"] }, { "title": "GnuPG Key Management: Package Signing, File Integrity, and Git Commit Signing", "url": "/articles/linux/linux-gnupg-key-management/", "full_url": "https://www.systemshardening.com/articles/linux/linux-gnupg-key-management/", "category": "linux", "tags": ["gnupg","pgp","key-management","signing","package-security"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","sysadmin"] }, { "title": "Linux HSM and PKCS#11 Integration: Hardware-Protected Cryptographic Keys", "url": "/articles/linux/linux-hsm-pkcs11-integration/", "full_url": "https://www.systemshardening.com/articles/linux/linux-hsm-pkcs11-integration/", "category": "linux", "tags": ["hsm","pkcs11","key-management","tpm","hardware-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux Kernel Module Signing and Verification", "url": "/articles/linux/linux-kernel-module-signing/", "full_url": "https://www.systemshardening.com/articles/linux/linux-kernel-module-signing/", "category": "linux", "tags": ["kernel-modules","module-signing","secure-boot","kernel-hardening","rootkit-prevention"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux Network Namespace Security: Service Isolation Without a Firewall Per Rule", "url": "/articles/linux/linux-network-namespace-isolation/", "full_url": "https://www.systemshardening.com/articles/linux/linux-network-namespace-isolation/", "category": "linux", "tags": ["network-namespaces","service-isolation","veth","systemd","zero-trust"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux NFS Security Hardening: Kerberos, Exports, and Protecting Network Filesystems", "url": "/articles/linux/linux-nfs-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-nfs-security/", "category": "linux", "tags": ["nfs","kerberos","network-filesystem","access-control","encryption"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux PAM Multi-Factor Authentication: TOTP and YubiKey", "url": "/articles/linux/linux-pam-mfa-totp-yubikey/", "full_url": "https://www.systemshardening.com/articles/linux/linux-pam-mfa-totp-yubikey/", "category": "linux", "tags": ["pam","mfa","totp","yubikey","fido2"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","sysadmin"] }, { "title": "Linux Hardening for PCI DSS Cardholder Data Environments", "url": "/articles/linux/linux-pci-dss-cde-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-pci-dss-cde-hardening/", "category": "linux", "tags": ["pci-dss","cde-hardening","compliance","linux-hardening","audit-logging"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","compliance-engineer"] }, { "title": "Linux POSIX ACLs: Fine-Grained File Permission Security", "url": "/articles/linux/linux-posix-acl-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-posix-acl-security/", "category": "linux", "tags": ["acl","file-permissions","access-control","least-privilege","xattr"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","sysadmin"] }, { "title": "Linux ptrace Security and YAMA LSM Hardening", "url": "/articles/linux/linux-ptrace-yama-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-ptrace-yama-hardening/", "category": "linux", "tags": ["ptrace","yama","lsm","process-security","memory-inspection"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux Shared Library Security: LD_PRELOAD Attacks, Library Hijacking, and Hardened Linking", "url": "/articles/linux/linux-shared-library-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-shared-library-security/", "category": "linux", "tags": ["ld-preload","shared-libraries","dynamic-linking","library-hijacking","supply-chain"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux Network Socket Hardening: Port Binding Controls, SO_REUSEPORT Security, and Reducing the Socket Attack Surface", "url": "/articles/linux/linux-socket-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-socket-hardening/", "category": "linux", "tags": ["sockets","port-security","capabilities","systemd","network-hardening"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux Encrypted Swap: Protecting In-Memory Secrets from Disk Exposure", "url": "/articles/linux/linux-swap-encryption/", "full_url": "https://www.systemshardening.com/articles/linux/linux-swap-encryption/", "category": "linux", "tags": ["swap-encryption","dm-crypt","luks","memory-security","cold-boot"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Hardening Linux Kernel Information Exposure Through sysfs, debugfs, and procfs", "url": "/articles/linux/linux-sysfs-debugfs-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-sysfs-debugfs-hardening/", "category": "linux", "tags": ["sysfs","debugfs","procfs","kernel-hardening","information-disclosure"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux TCP/IP Stack Hardening via sysctl Parameters", "url": "/articles/linux/linux-tcpip-stack-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-tcpip-stack-hardening/", "category": "linux", "tags": ["sysctl","tcp-hardening","network-security","kernel","syn-flood"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux tmpfs and POSIX Shared Memory Security Hardening", "url": "/articles/linux/linux-tmpfs-shm-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-tmpfs-shm-security/", "category": "linux", "tags": ["tmpfs","shared-memory","posix-shm","mount-hardening","noexec"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "UEFI Secure Boot Deep Dive: DB/DBX, Shim, MOK, and Custom Key Enrolment", "url": "/articles/linux/linux-uefi-secure-boot-db/", "full_url": "https://www.systemshardening.com/articles/linux/linux-uefi-secure-boot-db/", "category": "linux", "tags": ["secure-boot","uefi","firmware-security","shim","mok"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Restricting Unprivileged User Namespaces: Closing the 3.4x Kernel Attack Surface", "url": "/articles/linux/linux-unprivileged-namespace-restriction/", "full_url": "https://www.systemshardening.com/articles/linux/linux-unprivileged-namespace-restriction/", "category": "linux", "tags": ["user-namespaces","kernel-hardening","container-security","attack-surface","privilege-escalation"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "systemd-tmpfiles and snap-confine Race Condition: CVE-2026-3888 on Ubuntu", "url": "/articles/linux/systemd-tmpfiles-snap-confine-lpe/", "full_url": "https://www.systemshardening.com/articles/linux/systemd-tmpfiles-snap-confine-lpe/", "category": "linux", "tags": ["ubuntu","snapd","privilege-escalation","race-condition","cve"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Anycast-Based DDoS Mitigation Architecture", "url": "/articles/network/anycast-ddos-mitigation/", "full_url": "https://www.systemshardening.com/articles/network/anycast-ddos-mitigation/", "category": "network", "tags": ["anycast","ddos-mitigation","bgp","scrubbing","dns-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "BGP and OSPF Hardening: Routing Protocol Security for Production Networks", "url": "/articles/network/bgp-ospf-routing-security/", "full_url": "https://www.systemshardening.com/articles/network/bgp-ospf-routing-security/", "category": "network", "tags": ["bgp","ospf","routing-security","gtsm","md5-authentication"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Certificate Pinning Security: Modern Approaches After HPKP Deprecation", "url": "/articles/network/certificate-pinning-security/", "full_url": "https://www.systemshardening.com/articles/network/certificate-pinning-security/", "category": "network", "tags": ["certificate-pinning","tls","hpkp","mobile-security","zero-trust"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Cloud Network Security Hardening: AWS, GCP, and Azure", "url": "/articles/network/cloud-network-security-hardening/", "full_url": "https://www.systemshardening.com/articles/network/cloud-network-security-hardening/", "category": "network", "tags": ["cloud-security","aws-vpc","security-groups","private-endpoints","network-segmentation"], "difficulty": "Intermediate", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "DNS Resolver Infrastructure Hardening: Recursive Resolvers, DNSSEC, DoT, and Split-Horizon DNS", "url": "/articles/network/dns-resolver-infrastructure-hardening/", "full_url": "https://www.systemshardening.com/articles/network/dns-resolver-infrastructure-hardening/", "category": "network", "tags": ["dns","resolver-security","dnssec","dns-over-tls","split-horizon"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "802.1X Network Access Control: Wired and Wireless Authentication with RADIUS and EAP-TLS", "url": "/articles/network/dot1x-network-access-control/", "full_url": "https://www.systemshardening.com/articles/network/dot1x-network-access-control/", "category": "network", "tags": ["802.1x","radius","eap","network-access-control","wpa-enterprise"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Financial-Grade API (FAPI 2.0) Security: Open Banking, PSD2, and DPoP-Bound Tokens", "url": "/articles/network/financial-grade-api-fapi-security/", "full_url": "https://www.systemshardening.com/articles/network/financial-grade-api-fapi-security/", "category": "network", "tags": ["fapi","open-banking","psd2","oauth2","dpop"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "HTTP/2 Protocol Security Hardening: Framing, HPACK, Stream Multiplexing, and Smuggling", "url": "/articles/network/http2-protocol-security/", "full_url": "https://www.systemshardening.com/articles/network/http2-protocol-security/", "category": "network", "tags": ["http2","protocol-security","hpack","stream-multiplexing","request-smuggling"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "ICMP Security: What to Allow, What to Block, and Detecting ICMP Tunnelling", "url": "/articles/network/icmp-security-tunnelling/", "full_url": "https://www.systemshardening.com/articles/network/icmp-security-tunnelling/", "category": "network", "tags": ["icmp","tunnelling","firewall","network-filtering","covert-channels"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Kerberos Network Security Hardening", "url": "/articles/network/kerberos-security-hardening/", "full_url": "https://www.systemshardening.com/articles/network/kerberos-security-hardening/", "category": "network", "tags": ["kerberos","active-directory","ticket-security","delegation","authentication"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","sysadmin"] }, { "title": "LDAP and LDAPS Security Hardening for Directory Service Connections", "url": "/articles/network/ldap-ldaps-security-hardening/", "full_url": "https://www.systemshardening.com/articles/network/ldap-ldaps-security-hardening/", "category": "network", "tags": ["ldap","ldaps","active-directory","directory-service","credential-security"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","sysadmin"] }, { "title": "Linkerd Service Mesh Security Hardening", "url": "/articles/network/linkerd-service-mesh-security/", "full_url": "https://www.systemshardening.com/articles/network/linkerd-service-mesh-security/", "category": "network", "tags": ["linkerd","service-mesh","mtls","zero-trust","kubernetes"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "NAT Security Implications and CGNAT Risks for Security Monitoring", "url": "/articles/network/nat-cgnat-security/", "full_url": "https://www.systemshardening.com/articles/network/nat-cgnat-security/", "category": "network", "tags": ["nat","cgnat","ip-attribution","logging","network-security"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Structured Network ACL Design and Management", "url": "/articles/network/network-acl-design-management/", "full_url": "https://www.systemshardening.com/articles/network/network-acl-design-management/", "category": "network", "tags": ["acl","firewall-policy","network-segmentation","least-privilege","change-management"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Network Flow Analysis: NetFlow, sFlow, and IPFIX for Security Monitoring", "url": "/articles/network/network-flow-security-analytics/", "full_url": "https://www.systemshardening.com/articles/network/network-flow-security-analytics/", "category": "network", "tags": ["netflow","sflow","ipfix","network-monitoring","threat-detection"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Network Forensics and Secure Packet Capture", "url": "/articles/network/network-forensics-packet-capture/", "full_url": "https://www.systemshardening.com/articles/network/network-forensics-packet-capture/", "category": "network", "tags": ["network-forensics","packet-capture","tcpdump","wireshark","incident-response"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","incident-responder"] }, { "title": "Network Microsegmentation Implementation: eBPF, SPIFFE, and Per-Workload Isolation", "url": "/articles/network/network-microsegmentation-implementation/", "full_url": "https://www.systemshardening.com/articles/network/network-microsegmentation-implementation/", "category": "network", "tags": ["microsegmentation","zero-trust","ebpf","cilium","network-policy"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "nf_tables Container Privilege Escalation: Hardening the Kernel's Highest-Risk Subsystem", "url": "/articles/network/nftables-container-privilege-escalation/", "full_url": "https://www.systemshardening.com/articles/network/nftables-container-privilege-escalation/", "category": "network", "tags": ["nftables","container-escape","netfilter","seccomp","kernel-hardening"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "OpenVPN Security Hardening: PKI, Cipher Suites, tls-crypt-v2, and Privilege Separation", "url": "/articles/network/openvpn-hardening/", "full_url": "https://www.systemshardening.com/articles/network/openvpn-hardening/", "category": "network", "tags": ["openvpn","vpn","tls","certificate-management","access-control"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "PROXY Protocol and Trusted Proxy Chain Configuration", "url": "/articles/network/proxy-protocol-trusted-chain/", "full_url": "https://www.systemshardening.com/articles/network/proxy-protocol-trusted-chain/", "category": "network", "tags": ["proxy-protocol","reverse-proxy","x-forwarded-for","trusted-proxies","ip-spoofing"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "SOCKS Proxy Tunnelling Security: Detecting Abuse and Hardening Legitimate Deployments", "url": "/articles/network/socks-proxy-tunnelling-security/", "full_url": "https://www.systemshardening.com/articles/network/socks-proxy-tunnelling-security/", "category": "network", "tags": ["socks-proxy","tunnelling","ssh-tunnelling","covert-channels","egress-filtering"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Passive TLS Fingerprinting with JA3 and JA4 for Network Security Detection", "url": "/articles/network/tls-fingerprinting-ja3-ja4/", "full_url": "https://www.systemshardening.com/articles/network/tls-fingerprinting-ja3-ja4/", "category": "network", "tags": ["tls-fingerprinting","ja3","ja4","threat-detection","network-monitoring"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Migrating to TLS 1.3 and Hardening Cipher Suite Selection Across Web Servers and Load Balancers", "url": "/articles/network/tls13-migration-cipher-hardening/", "full_url": "https://www.systemshardening.com/articles/network/tls13-migration-cipher-hardening/", "category": "network", "tags": ["tls-1-3","cipher-suites","crypto-agility","nginx","certificate-management"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Traefik ForwardAuth Authentication Bypass: CVE-2026-35051", "url": "/articles/network/traefik-forwardauth-bypass/", "full_url": "https://www.systemshardening.com/articles/network/traefik-forwardauth-bypass/", "category": "network", "tags": ["traefik","authentication-bypass","forwardauth","cve","proxy"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-07T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "VLAN Security and Trunk Hardening: Defeating VLAN Hopping, DTP Exploitation, and Lateral Movement", "url": "/articles/network/vlan-security-hardening/", "full_url": "https://www.systemshardening.com/articles/network/vlan-security-hardening/", "category": "network", "tags": ["vlan","network-segmentation","trunk-security","dtp","switch-hardening"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Wireless Network Security Hardening: WPA3 and Enterprise Wi-Fi", "url": "/articles/network/wireless-network-security-wpa3/", "full_url": "https://www.systemshardening.com/articles/network/wireless-network-security-wpa3/", "category": "network", "tags": ["wireless-security","wpa3","802.11","rogue-ap","enterprise-wifi"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Zeek Network Security Monitoring: Protocol Analysis, Threat Detection, and SIEM Integration", "url": "/articles/network/zeek-network-security-monitoring/", "full_url": "https://www.systemshardening.com/articles/network/zeek-network-security-monitoring/", "category": "network", "tags": ["zeek","network-monitoring","ids","threat-detection","log-analysis"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "Zero Trust Network Access: Replacing VPN with Identity-Aware Proxies", "url": "/articles/network/zero-trust-network-access/", "full_url": "https://www.systemshardening.com/articles/network/zero-trust-network-access/", "category": "network", "tags": ["zero-trust","ztna","identity-aware-proxy","beyondcorp","network-access-control"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Security Observability for AI Inference Infrastructure: Monitoring Prompt Injection, Model Abuse, and Inference Threats", "url": "/articles/observability/ai-inference-security-observability/", "full_url": "https://www.systemshardening.com/articles/observability/ai-inference-security-observability/", "category": "observability", "tags": ["ai-security","inference-security","prompt-injection","llm-monitoring","opentelemetry"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","ml-engineer"] }, { "title": "Alertmanager Receiver Security: SSRF, API Hardening, and Alert Pipeline Integrity", "url": "/articles/observability/alertmanager-receiver-security/", "full_url": "https://www.systemshardening.com/articles/observability/alertmanager-receiver-security/", "category": "observability", "tags": ["alertmanager","prometheus","ssrf","api-security","observability"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "API Traffic Security Observability: Monitoring API Behaviour for Security Threats", "url": "/articles/observability/api-security-observability/", "full_url": "https://www.systemshardening.com/articles/observability/api-security-observability/", "category": "observability", "tags": ["api-security","api-monitoring","rate-limiting","anomaly-detection","opentelemetry"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Cloud Cost Anomaly Detection as a Security Signal: Crypto Mining and Unauthorized Compute", "url": "/articles/observability/cloud-cost-anomaly-security/", "full_url": "https://www.systemshardening.com/articles/observability/cloud-cost-anomaly-security/", "category": "observability", "tags": ["crypto-mining-detection","cloud-security","cost-anomaly","aws-cost-explorer","resource-monitoring"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Container Memory Forensics for Incident Response", "url": "/articles/observability/container-memory-forensics/", "full_url": "https://www.systemshardening.com/articles/observability/container-memory-forensics/", "category": "observability", "tags": ["memory-forensics","incident-response","container-security","forensics","volatility"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","incident-responder"] }, { "title": "Security Considerations for Continuous Profiling with Parca and Pyroscope", "url": "/articles/observability/continuous-profiling-parca-security/", "full_url": "https://www.systemshardening.com/articles/observability/continuous-profiling-parca-security/", "category": "observability", "tags": ["continuous-profiling","parca","pyroscope","ebpf-profiling","performance-security"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Detecting Credential Access Attempts: Log Analysis and Runtime Monitoring", "url": "/articles/observability/credential-access-detection/", "full_url": "https://www.systemshardening.com/articles/observability/credential-access-detection/", "category": "observability", "tags": ["credential-theft","detection","authentication-logs","mitre-attack","siem"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Detecting Data Exfiltration Through Log Analysis and Network Monitoring", "url": "/articles/observability/data-exfiltration-detection/", "full_url": "https://www.systemshardening.com/articles/observability/data-exfiltration-detection/", "category": "observability", "tags": ["data-exfiltration","dlp","network-monitoring","threat-detection","siem"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Database Activity Monitoring: Audit Logs, SQL Inspection, and SIEM Integration", "url": "/articles/observability/database-activity-monitoring/", "full_url": "https://www.systemshardening.com/articles/observability/database-activity-monitoring/", "category": "observability", "tags": ["database-security","pgaudit","mysql-audit","sql-monitoring","data-access-logging"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","data-engineer"] }, { "title": "Datadog Security Configuration Hardening", "url": "/articles/observability/datadog-security-hardening/", "full_url": "https://www.systemshardening.com/articles/observability/datadog-security-hardening/", "category": "observability", "tags": ["datadog","agent-security","api-key-management","cspm","observability"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Detecting AI-Automated Container Escapes with Runtime Monitoring", "url": "/articles/observability/detecting-ai-automated-container-escapes/", "full_url": "https://www.systemshardening.com/articles/observability/detecting-ai-automated-container-escapes/", "category": "observability", "tags": ["container-escape","falco","runtime-detection","ai-security","ebpf"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Falco Runtime Security: Writing Effective Detection Rules and Deploying Falco Securely", "url": "/articles/observability/falco-security-rules/", "full_url": "https://www.systemshardening.com/articles/observability/falco-security-rules/", "category": "observability", "tags": ["falco","runtime-security","detection-rules","kubernetes","syscall-monitoring"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "File Integrity Monitoring with Falco and AIDE: Detecting Unauthorized File Changes", "url": "/articles/observability/file-integrity-monitoring/", "full_url": "https://www.systemshardening.com/articles/observability/file-integrity-monitoring/", "category": "observability", "tags": ["file-integrity-monitoring","aide","falco","fim","host-security"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Fluent Bit Security Hardening: Securing Log Collection Pipelines in Kubernetes", "url": "/articles/observability/fluent-bit-security-hardening/", "full_url": "https://www.systemshardening.com/articles/observability/fluent-bit-security-hardening/", "category": "observability", "tags": ["fluent-bit","log-collection","pipeline-security","tls","kubernetes-logging"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Kubernetes Events for Security: Detecting Threats Beyond the Audit Log", "url": "/articles/observability/kubernetes-events-security/", "full_url": "https://www.systemshardening.com/articles/observability/kubernetes-events-security/", "category": "observability", "tags": ["kubernetes","events-monitoring","cluster-security","admission-control","threat-detection"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Log Retention Policy, Archival Security, and Compliance-Driven Log Management", "url": "/articles/observability/log-retention-archival-security/", "full_url": "https://www.systemshardening.com/articles/observability/log-retention-archival-security/", "category": "observability", "tags": ["log-retention","compliance","log-archival","worm-storage","gdpr"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","compliance-engineer"] }, { "title": "mTLS Observability: Monitoring Certificate Health, Detecting Misconfigurations, and Alerting on TLS Failures", "url": "/articles/observability/mtls-certificate-observability/", "full_url": "https://www.systemshardening.com/articles/observability/mtls-certificate-observability/", "category": "observability", "tags": ["mtls","certificate-monitoring","service-mesh","tls-observability","spiffe"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Real-Time Payment Fraud Detection: Velocity Rules, Device Signals, and Behavioral Baselines", "url": "/articles/observability/payment-fraud-detection/", "full_url": "https://www.systemshardening.com/articles/observability/payment-fraud-detection/", "category": "observability", "tags": ["fraud-detection","payment-security","behavioral-analytics","real-time-analytics","anomaly-detection"], "difficulty": "Advanced", "reading_time_minutes": 14, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Process Tree Security Analysis: Detecting Attacks Through Process Lineage", "url": "/articles/observability/process-tree-security-analysis/", "full_url": "https://www.systemshardening.com/articles/observability/process-tree-security-analysis/", "category": "observability", "tags": ["process-monitoring","process-tree","endpoint-detection","ebpf","threat-detection"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Runtime Application Self-Protection (RASP): In-Process Security Monitoring and Blocking", "url": "/articles/observability/runtime-application-self-protection/", "full_url": "https://www.systemshardening.com/articles/observability/runtime-application-self-protection/", "category": "observability", "tags": ["rasp","runtime-security","waf","application-security","injection-prevention"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Advanced Security Event Correlation: EQL Sequences, Entity Graphs, and Automated Response", "url": "/articles/observability/security-event-correlation-advanced/", "full_url": "https://www.systemshardening.com/articles/observability/security-event-correlation-advanced/", "category": "observability", "tags": ["event-correlation","threat-detection","siem","eql","attack-chain"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Security SLIs and Error Budgets: Measuring Posture with SRE Discipline", "url": "/articles/observability/security-sli-error-budget/", "full_url": "https://www.systemshardening.com/articles/observability/security-sli-error-budget/", "category": "observability", "tags": ["sli","slo","error-budget","security-metrics","posture-management"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Serverless Security Observability: AWS Lambda, GCP Cloud Functions, Azure Functions", "url": "/articles/observability/serverless-security-observability/", "full_url": "https://www.systemshardening.com/articles/observability/serverless-security-observability/", "category": "observability", "tags": ["serverless","aws-lambda","cloud-functions","runtime-monitoring","function-security"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Splunk Security Hardening: Authentication, RBAC, TLS, and Audit Logging", "url": "/articles/observability/splunk-security-hardening/", "full_url": "https://www.systemshardening.com/articles/observability/splunk-security-hardening/", "category": "observability", "tags": ["splunk","siem","log-management","authentication","audit-logging"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "Synthetic Monitoring as a Security Tool: Blackbox Exporter, Certificate Probes, and Tamper Detection", "url": "/articles/observability/synthetic-monitoring-security/", "full_url": "https://www.systemshardening.com/articles/observability/synthetic-monitoring-security/", "category": "observability", "tags": ["synthetic-monitoring","blackbox-exporter","certificate-monitoring","availability-monitoring","security-monitoring"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Securing Distributed Tracing Infrastructure: Grafana Tempo and Jaeger", "url": "/articles/observability/tempo-jaeger-tracing-security/", "full_url": "https://www.systemshardening.com/articles/observability/tempo-jaeger-tracing-security/", "category": "observability", "tags": ["tempo","jaeger","distributed-tracing","trace-privacy","opentelemetry"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Securing Multi-Tenant Prometheus Deployments with Thanos", "url": "/articles/observability/thanos-prometheus-multitenancy-security/", "full_url": "https://www.systemshardening.com/articles/observability/thanos-prometheus-multitenancy-security/", "category": "observability", "tags": ["thanos","prometheus","multi-tenancy","metrics-security","long-term-storage"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "User Behavior Analytics: Detecting Insider Threats and Compromised Accounts", "url": "/articles/observability/user-behavior-analytics/", "full_url": "https://www.systemshardening.com/articles/observability/user-behavior-analytics/", "category": "observability", "tags": ["uba","insider-threat","anomaly-detection","siem","behavioral-analytics"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","security-analyst"] }, { "title": "VictoriaMetrics Security Hardening: Authentication, TLS, Tenant Isolation, and Data Protection", "url": "/articles/observability/victoriametrics-security-hardening/", "full_url": "https://www.systemshardening.com/articles/observability/victoriametrics-security-hardening/", "category": "observability", "tags": ["victoriametrics","prometheus","metrics-security","authentication","multi-tenancy"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Security Hardening for WASM at the CDN Edge: Cloudflare Workers and Fastly Compute@Edge", "url": "/articles/wasm/cloudflare-workers-fastly-edge-security/", "full_url": "https://www.systemshardening.com/articles/wasm/cloudflare-workers-fastly-edge-security/", "category": "wasm", "tags": ["cloudflare-workers","fastly-compute","edge-computing","wasm","serverless-security"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Running User-Provided WASM Safely: Sandboxing Untrusted Customer Code", "url": "/articles/wasm/user-provided-wasm-execution/", "full_url": "https://www.systemshardening.com/articles/wasm/user-provided-wasm-execution/", "category": "wasm", "tags": ["wasm","user-code-execution","sandboxing","multi-tenancy","platform-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASI Security Roadmap: Preview 2, WASIp3 Async, and Upcoming Security Proposals", "url": "/articles/wasm/wasip3-security-roadmap/", "full_url": "https://www.systemshardening.com/articles/wasm/wasip3-security-roadmap/", "category": "wasm", "tags": ["wasi","wasip3","wasi-preview2","capability-security","wasm-roadmap"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM API Gateway Plugins: Securing Kong, APISIX, and Custom Gateway Extensions", "url": "/articles/wasm/wasm-api-gateway-plugins/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-api-gateway-plugins/", "category": "wasm", "tags": ["wasm","api-gateway","kong","apisix","plugin-security"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Binary Analysis: Security Testing and Reverse Engineering Defences", "url": "/articles/wasm/wasm-binary-analysis-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-binary-analysis-security/", "category": "wasm", "tags": ["wasm","binary-analysis","reverse-engineering","security-testing","ip-protection"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Capability-Based File I/O Security in WASM with cap-std and WASI", "url": "/articles/wasm/wasm-cap-std-capability-io/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-cap-std-capability-io/", "category": "wasm", "tags": ["cap-std","capabilities","wasi","file-io-security","ambient-authority"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM for Secure Client-Side Financial Calculations: Isolating Sensitive Logic from Browser Attacks", "url": "/articles/wasm/wasm-client-side-financial-calculations/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-client-side-financial-calculations/", "category": "wasm", "tags": ["wasm","financial-security","client-side-security","browser-security","isolation"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Component Composition Security: Capability Flow and Interface Boundaries", "url": "/articles/wasm/wasm-component-composition-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-component-composition-security/", "category": "wasm", "tags": ["wasm-component-model","component-composition","interface-types","capability-security","wit"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Cryptographic Implementations in WASM: Timing Safety, WASI Crypto, and Key Handling", "url": "/articles/wasm/wasm-crypto-implementations/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-crypto-implementations/", "category": "wasm", "tags": ["wasm","cryptography","timing-attacks","wasi-crypto","constant-time"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Fuel Metering and Execution Budget Enforcement for DoS Prevention", "url": "/articles/wasm/wasm-fuel-metering/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-fuel-metering/", "category": "wasm", "tags": ["wasm","fuel-metering","resource-limits","dos-prevention","wasmtime"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Fuzzing WebAssembly: Security Testing WASM Modules and Runtimes", "url": "/articles/wasm/wasm-fuzzing-security-testing/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-fuzzing-security-testing/", "category": "wasm", "tags": ["fuzzing","wasm","cargo-fuzz","security-testing","libfuzzer"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Host Function Security: Hardening the WASM-to-Host Boundary", "url": "/articles/wasm/wasm-host-function-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-host-function-security/", "category": "wasm", "tags": ["wasm","host-functions","sandbox-boundary","api-security","capability-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM for IoT Firmware Updates: Secure Field-Updateable Device Functionality", "url": "/articles/wasm/wasm-iot-firmware-updates/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-iot-firmware-updates/", "category": "wasm", "tags": ["wasm","iot-security","firmware-updates","embedded","ota-updates"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM vs Container Isolation: What AI-Scale Vulnerability Discovery Changes", "url": "/articles/wasm/wasm-isolation-vs-container-isolation/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-isolation-vs-container-isolation/", "category": "wasm", "tags": ["wasm-isolation","container-security","memory-safety","ai-security","architecture"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "WASM JIT Compiler Security: JIT Spraying and Speculative Execution Defenses", "url": "/articles/wasm/wasm-jit-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-jit-security/", "category": "wasm", "tags": ["wasm","jit-compiler","speculative-execution","side-channels","sandboxing"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM as a Kubernetes Sidecar: Lightweight Security Proxies and Policy Enforcement", "url": "/articles/wasm/wasm-kubernetes-sidecar-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-kubernetes-sidecar-security/", "category": "wasm", "tags": ["wasm","kubernetes","sidecar","proxy-security","policy-enforcement"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Module Caching Security: Protecting Precompiled Artefacts", "url": "/articles/wasm/wasm-module-caching-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-module-caching-security/", "category": "wasm", "tags": ["wasm","module-caching","aot-compilation","supply-chain","runtime-security"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Securing WASM Module Loading and Validation at Runtime", "url": "/articles/wasm/wasm-module-loading-validation/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-module-loading-validation/", "category": "wasm", "tags": ["wasm","module-validation","runtime-security","supply-chain","integrity"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Module Signing Beyond OCI: COSE, In-Band Signatures, and Non-Registry Distribution", "url": "/articles/wasm/wasm-module-signing-cose/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-module-signing-cose/", "category": "wasm", "tags": ["wasm","module-signing","cose","sigstore","supply-chain"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM for Network Packet Processing: Security Filters and Traffic Inspection", "url": "/articles/wasm/wasm-network-packet-processing/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-network-packet-processing/", "category": "wasm", "tags": ["wasm","network-security","packet-processing","ebpf-comparison","wasi-sockets"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","network-engineer"] }, { "title": "WASM Policy Engines: Beyond OPA — Custom Policy Logic and Embedded Enforcement", "url": "/articles/wasm/wasm-policy-engines/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-policy-engines/", "category": "wasm", "tags": ["wasm","policy-engines","opa","cedar","authorisation"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Post-Quantum Cryptography in WASM: Migration Readiness for WebAssembly Deployments", "url": "/articles/wasm/wasm-post-quantum-cryptography/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-post-quantum-cryptography/", "category": "wasm", "tags": ["wasm","post-quantum","pqc","cryptography","migration"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Reference Types and Host Binding Security: Hardening externref and funcref", "url": "/articles/wasm/wasm-reference-types-host-binding/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-reference-types-host-binding/", "category": "wasm", "tags": ["wasm-reference-types","externref","host-binding","type-safety","capability-security"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "WASM in Regulated Industries: Medical, Automotive, and Industrial Deployments", "url": "/articles/wasm/wasm-regulated-industries/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-regulated-industries/", "category": "wasm", "tags": ["wasm","medical-devices","automotive","regulatory-compliance","safety-critical"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Runtime Attestation: Verifying Execution Environment Integrity", "url": "/articles/wasm/wasm-runtime-attestation/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-runtime-attestation/", "category": "wasm", "tags": ["wasm","attestation","tpm","confidential-computing","runtime-integrity"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Runtime Security Instrumentation: Monitoring Host Calls and Execution Behaviour", "url": "/articles/wasm/wasm-runtime-instrumentation/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-runtime-instrumentation/", "category": "wasm", "tags": ["wasm","instrumentation","security-monitoring","tracing","runtime-security"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Supply Chain: SBOM Generation and Provenance for WebAssembly Modules", "url": "/articles/wasm/wasm-sbom-provenance/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-sbom-provenance/", "category": "wasm", "tags": ["wasm","sbom","provenance","supply-chain","sigstore"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM and seccomp: Host-Side Syscall Filtering for Runtime Defence in Depth", "url": "/articles/wasm/wasm-seccomp-syscall-filtering/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-seccomp-syscall-filtering/", "category": "wasm", "tags": ["wasm","seccomp","syscall-filtering","defence-in-depth","sandbox-hardening"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Security Testing Methodology: Static Analysis, Dynamic Testing, and Supply Chain Verification", "url": "/articles/wasm/wasm-security-testing-methodology/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-security-testing-methodology/", "category": "wasm", "tags": ["wasm","security-testing","static-analysis","fuzzing","supply-chain"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Shared-Nothing Architecture: Security Benefits of Zero Memory Sharing", "url": "/articles/wasm/wasm-shared-nothing-microservices/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-shared-nothing-microservices/", "category": "wasm", "tags": ["wasm","shared-nothing","microservices","isolation","component-model"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM SIMD128 Security: Timing Side Channels and Cryptographic Pitfalls", "url": "/articles/wasm/wasm-simd-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-simd-security/", "category": "wasm", "tags": ["wasm-simd","side-channels","timing-attacks","cryptography","wasm"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Smart Contract Security: CosmWasm and NEAR", "url": "/articles/wasm/wasm-smart-contract-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-smart-contract-security/", "category": "wasm", "tags": ["smart-contracts","cosmwasm","near-protocol","blockchain","wasm"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM Security in WebKit/Safari and Mobile Browser Contexts", "url": "/articles/wasm/wasm-webkit-mobile-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-webkit-mobile-security/", "category": "wasm", "tags": ["wasm","webkit","safari","mobile-security","browser-security"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "LLM-Assisted Supply Chain Incident Response: Accelerating the Axios Blast Radius Analysis", "url": "/articles/ai-landscape/llm-supply-chain-incident-response/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-supply-chain-incident-response/", "category": "ai-landscape", "tags": ["supply-chain","npm","llm","incident-response","automation"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "LMDeploy SSRF and IMDS Exfiltration: CVE-2026-33626 on GPU Inference Nodes", "url": "/articles/ai-landscape/lmdeploy-ssrf-imds-exfiltration/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/lmdeploy-ssrf-imds-exfiltration/", "category": "ai-landscape", "tags": ["lmdeploy","ssrf","imds","inference-security","cve"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "MCP RCE via Project Config Files: CVE-2026-21852 and the MCP Trust Model", "url": "/articles/ai-landscape/mcp-rce-project-config-hardening/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/mcp-rce-project-config-hardening/", "category": "ai-landscape", "tags": ["mcp","rce","cve","claude-code","ai-security"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-04T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "GitHub Actions Supply Chain: The Trivy Action Compromise and SHA Pinning", "url": "/articles/cicd/github-actions-trivy-compromise/", "full_url": "https://www.systemshardening.com/articles/cicd/github-actions-trivy-compromise/", "category": "cicd", "tags": ["github-actions","supply-chain","sha-pinning","credential-theft","cicd"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "GitHub Enterprise Server RCE via Git Push: CVE-2026-3854", "url": "/articles/cicd/github-enterprise-rce-git-push/", "full_url": "https://www.systemshardening.com/articles/cicd/github-enterprise-rce-git-push/", "category": "cicd", "tags": ["github-enterprise","rce","git","cve","push-security"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "npm Lockfile Integrity: What package-lock.json Protects Against (and What It Doesn't)", "url": "/articles/cicd/npm-lockfile-integrity-security/", "full_url": "https://www.systemshardening.com/articles/cicd/npm-lockfile-integrity-security/", "category": "cicd", "tags": ["supply-chain","npm","lockfile","integrity","cicd"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "npm Package Integrity Verification: The Gap the Axios Attack Exposed", "url": "/articles/cross-cutting/npm-package-integrity-verification/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/npm-package-integrity-verification/", "category": "cross-cutting", "tags": ["supply-chain","npm","integrity","provenance","package-security"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "OpenSSL CMS RCE: Patching CVE-2025-15467 and the AI-Discovered Vulnerability Class", "url": "/articles/cross-cutting/openssl-cms-rce-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/openssl-cms-rce-hardening/", "category": "cross-cutting", "tags": ["openssl","cve","rce","cms","patch-management"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-04T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Python Cryptography Buffer Overflow: CVE-2026-39892 and Non-Contiguous Buffers", "url": "/articles/cross-cutting/python-cryptography-buffer-overflow/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/python-cryptography-buffer-overflow/", "category": "cross-cutting", "tags": ["python","cryptography","buffer-overflow","cve","memory-safety"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "gRPC-Go HTTP/2 Path Authorization Bypass: CVE-2026-33186", "url": "/articles/kubernetes/grpc-go-path-auth-bypass/", "full_url": "https://www.systemshardening.com/articles/kubernetes/grpc-go-path-auth-bypass/", "category": "kubernetes", "tags": ["grpc","authorization-bypass","cve","microservices","http2"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "ingress-nginx Annotation Injection 2026: CVE-2026-24512 and the New Hardening Controls", "url": "/articles/kubernetes/ingress-nginx-annotation-injection-2026/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ingress-nginx-annotation-injection-2026/", "category": "kubernetes", "tags": ["ingress-nginx","annotation-injection","cve","rce","kubernetes"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Kubernetes Incident Response for npm Supply Chain Compromises", "url": "/articles/kubernetes/kubernetes-supply-chain-incident-response/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-supply-chain-incident-response/", "category": "kubernetes", "tags": ["supply-chain","npm","incident-response","secrets-rotation","forensics"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-04T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux Developer Workstation Hardening: Closing the Axios Supply Chain Vector", "url": "/articles/linux/linux-developer-workstation-supply-chain/", "full_url": "https://www.systemshardening.com/articles/linux/linux-developer-workstation-supply-chain/", "category": "linux", "tags": ["supply-chain","npm","workstation-security","credential-protection","endpoint"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Linux LPE Defence in Depth: Raising the Bar Against Kernel Privilege Escalation", "url": "/articles/linux/linux-lpe-defence-in-depth/", "full_url": "https://www.systemshardening.com/articles/linux/linux-lpe-defence-in-depth/", "category": "linux", "tags": ["kernel","privilege-escalation","seccomp","landlock","defence-in-depth"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Python Cryptography DNS Name Constraint Bypass: CVE-2026-34073 on Linux Services", "url": "/articles/linux/python-cryptography-cert-bypass/", "full_url": "https://www.systemshardening.com/articles/linux/python-cryptography-cert-bypass/", "category": "linux", "tags": ["tls","x509","python","certificate-validation","cve"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-04T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "nginx-ui MCPwn: Unauthenticated RCE via Exposed MCP Management Endpoint (CVE-2026-33032)", "url": "/articles/network/nginx-ui-mcp-rce/", "full_url": "https://www.systemshardening.com/articles/network/nginx-ui-mcp-rce/", "category": "network", "tags": ["nginx","mcp","rce","cve","authentication"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Private npm Registry as Supply Chain Control: Blocking the Axios Attack Pattern", "url": "/articles/network/private-npm-registry-supply-chain/", "full_url": "https://www.systemshardening.com/articles/network/private-npm-registry-supply-chain/", "category": "network", "tags": ["supply-chain","npm","private-registry","verdaccio","network-security"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Roxy-WI LDAP Injection: Unauthenticated Auth Bypass via CVE-2026-33432", "url": "/articles/network/roxy-wi-ldap-injection/", "full_url": "https://www.systemshardening.com/articles/network/roxy-wi-ldap-injection/", "category": "network", "tags": ["haproxy","nginx","ldap-injection","authentication-bypass","cve"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Grafana Datasource Auth Bypass: CVE-2026-27880 and HTTP Path Normalisation", "url": "/articles/observability/grafana-datasource-auth-bypass/", "full_url": "https://www.systemshardening.com/articles/observability/grafana-datasource-auth-bypass/", "category": "observability", "tags": ["grafana","cve","authentication-bypass","prometheus","path-traversal"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-04T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "OTel Collector Remote Configuration Security: Hardening the OpAMP Trust Boundary", "url": "/articles/observability/otel-collector-remote-config-security/", "full_url": "https://www.systemshardening.com/articles/observability/otel-collector-remote-config-security/", "category": "observability", "tags": ["opentelemetry","otel-collector","opamp","configuration-security","observability"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "SBOM-Driven Supply Chain Compromise Detection: Finding Axios 1.14.1 in Production", "url": "/articles/observability/sbom-supply-chain-compromise-detection/", "full_url": "https://www.systemshardening.com/articles/observability/sbom-supply-chain-compromise-detection/", "category": "observability", "tags": ["supply-chain","sbom","npm","continuous-monitoring","attestation"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "WASM-Compiled Supply Chain Scanning Tools: Portable npm Security for Any CI Environment", "url": "/articles/wasm/wasm-supply-chain-scanning-tools/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-supply-chain-scanning-tools/", "category": "wasm", "tags": ["supply-chain","npm","wasm","wasi","ci-security"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Wasmtime aarch64 Sandbox Escape: CVE-2026-34971 and Cranelift Compiler Security", "url": "/articles/wasm/wasmtime-aarch64-sandbox-escape/", "full_url": "https://www.systemshardening.com/articles/wasm/wasmtime-aarch64-sandbox-escape/", "category": "wasm", "tags": ["wasmtime","sandbox-escape","cranelift","aarch64","cve"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Wasmtime Component String Transcoding OOB Read: CVE-2026-34941", "url": "/articles/wasm/wasmtime-component-string-transcoding/", "full_url": "https://www.systemshardening.com/articles/wasm/wasmtime-component-string-transcoding/", "category": "wasm", "tags": ["wasmtime","component-model","information-disclosure","cve","string-handling"], "difficulty": "Advanced", "reading_time_minutes": 10, "date": "2026-05-04T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "AI-Assisted npm Package Anomaly Detection: Catching Supply Chain Attacks Before Install", "url": "/articles/ai-landscape/ai-npm-package-anomaly-detection/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-npm-package-anomaly-detection/", "category": "ai-landscape", "tags": ["supply-chain","npm","anomaly-detection","machine-learning","ci-security"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI in OT Risk Assessment: CISA's Framework for Safe AI Procurement", "url": "/articles/ai-landscape/ai-ot-risk-assessment/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-ot-risk-assessment/", "category": "ai-landscape", "tags": ["ot-security","ai-governance","risk-assessment","ics","safety-integrity"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI for OT Security Operations: CISA's Framework for Safe ML in ICS", "url": "/articles/ai-landscape/ai-ot-security-operations/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-ot-security-operations/", "category": "ai-landscape", "tags": ["ot-security","anomaly-detection","ics","llm","ai-governance"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Milvus Vector Database Security Hardening", "url": "/articles/ai-landscape/milvus-vector-db-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/milvus-vector-db-security/", "category": "ai-landscape", "tags": ["milvus","vector-database","cve-2026-26190","unauthenticated-api","rag","ai-security","etcd"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "HuggingFace Transformers Checkpoint Security", "url": "/articles/ai-landscape/transformers-checkpoint-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/transformers-checkpoint-security/", "category": "ai-landscape", "tags": ["transformers","pytorch","checkpoint","cve-2026-1839","pickle","rce","ml-security","torch-load"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "vLLM Multimodal RCE: Hardening Against CVE-2026-22778", "url": "/articles/ai-landscape/vllm-multimodal-rce-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/vllm-multimodal-rce-security/", "category": "ai-landscape", "tags": ["vllm","multimodal","rce","cve","inference-security"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Argo Workflows Controller DoS: Hardening Against CVE-2026-40886", "url": "/articles/cicd/argo-workflows-controller-dos/", "full_url": "https://www.systemshardening.com/articles/cicd/argo-workflows-controller-dos/", "category": "cicd", "tags": ["argo-workflows","denial-of-service","annotation","cve","controller"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Crossplane Provider and Credential Security", "url": "/articles/cicd/crossplane-provider-security/", "full_url": "https://www.systemshardening.com/articles/cicd/crossplane-provider-security/", "category": "cicd", "tags": ["crossplane","provider","credentials","cloud-credentials","rbac","composite-resource","supply-chain"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Go Crypto and x509 Security in CI/CD Pipelines", "url": "/articles/cicd/go-crypto-cicd-security/", "full_url": "https://www.systemshardening.com/articles/cicd/go-crypto-cicd-security/", "category": "cicd", "tags": ["go","crypto","x509","cve-2026-33810","supply-chain","govulncheck","cicd-toolchain"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "npm Publish Account Hardening: Lessons from the Axios Maintainer Compromise", "url": "/articles/cicd/npm-publish-account-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/npm-publish-account-hardening/", "category": "cicd", "tags": ["supply-chain","npm","account-security","provenance","cicd"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "GitOps for OT Network Configuration: Preventing Conduit Drift", "url": "/articles/cicd/ot-gitops-network-configuration/", "full_url": "https://www.systemshardening.com/articles/cicd/ot-gitops-network-configuration/", "category": "cicd", "tags": ["ot-security","gitops","network-configuration","ics","drift-detection"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "OT Patch Management: Secure Update Pipelines for ICS Environments", "url": "/articles/cicd/ot-patch-management-pipeline/", "full_url": "https://www.systemshardening.com/articles/cicd/ot-patch-management-pipeline/", "category": "cicd", "tags": ["ot-security","patch-management","sbom","ics","supply-chain"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Authentik Identity Provider Security Hardening", "url": "/articles/cross-cutting/authentik-security-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/authentik-security-hardening/", "category": "cross-cutting", "tags": ["authentik","cve-2026-25227","cve-2026-25748","rce","forward-auth","identity-provider","oauth"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Go crypto/x509 and PKI Security Hardening", "url": "/articles/cross-cutting/go-x509-pki-security/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/go-x509-pki-security/", "category": "cross-cutting", "tags": ["go","x509","pki","cve-2026-33810","cert-manager","spire","name-constraints","crypto"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "npm Maintainer Account Security and the Ecosystem Trust Model", "url": "/articles/cross-cutting/npm-maintainer-account-security/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/npm-maintainer-account-security/", "category": "cross-cutting", "tags": ["supply-chain","npm","account-security","ecosystem-trust","fido2"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "OT Data Integrity: Signing Process Data and PLC Configurations", "url": "/articles/cross-cutting/ot-data-integrity-signing/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/ot-data-integrity-signing/", "category": "cross-cutting", "tags": ["ot-security","data-integrity","digital-signing","ics","opc-ua"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "OT Non-Person Entity Identity: PKI and Zero Trust for PLCs and RTUs", "url": "/articles/cross-cutting/ot-npe-identity-pki/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/ot-npe-identity-pki/", "category": "cross-cutting", "tags": ["ot-security","pki","identity","spiffe","ics"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "rust-openssl Buffer Overflow in Safe Rust: CVE-2026-41676", "url": "/articles/cross-cutting/rust-openssl-buffer-overflow/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/rust-openssl-buffer-overflow/", "category": "cross-cutting", "tags": ["rust","openssl","buffer-overflow","cve","pki"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Contour Ingress Controller Security", "url": "/articles/kubernetes/contour-ingress-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/contour-ingress-security/", "category": "kubernetes", "tags": ["contour","cve-2026-41246","ingress","lua","code-injection","httpproxy","envoy"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Kubernetes Defence Against Compromised npm Packages: Lessons from Axios", "url": "/articles/kubernetes/kubernetes-npm-supply-chain-defence/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-npm-supply-chain-defence/", "category": "kubernetes", "tags": ["supply-chain","npm","kyverno","network-policy","container-security"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Kubernetes at the IT/OT Boundary: Zero Trust for Industrial Edge", "url": "/articles/kubernetes/kubernetes-ot-edge-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-ot-edge-security/", "category": "kubernetes", "tags": ["ot-security","industrial-edge","network-policy","ics","zero-trust"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Kubernetes for OT Security Tooling: Deploying Malcolm and Zeek in the SOC", "url": "/articles/kubernetes/kubernetes-ot-security-tooling/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-ot-security-tooling/", "category": "kubernetes", "tags": ["ot-security","malcolm","zeek","soc","daemonset"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Kubernetes SPDY Streaming DoS: Hardening Against CVE-2026-35469", "url": "/articles/kubernetes/kubernetes-spdy-streaming-dos/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-spdy-streaming-dos/", "category": "kubernetes", "tags": ["kubelet","kube-apiserver","spdy","denial-of-service","cve"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Linux algif_aead Privilege Escalation: Hardening Against CVE-2026-31431", "url": "/articles/linux/linux-algif-aead-privilege-escalation/", "full_url": "https://www.systemshardening.com/articles/linux/linux-algif-aead-privilege-escalation/", "category": "linux", "tags": ["kernel","privilege-escalation","algif","cve","live-patching"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Linux Bluetooth L2CAP Security Hardening", "url": "/articles/linux/linux-bluetooth-l2cap-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-bluetooth-l2cap-security/", "category": "linux", "tags": ["bluetooth","l2cap","cve-2026-31512","kernel","memory-disclosure","oob-read","wireless"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Linux SCADA/HMI Workstation Hardening: Operator Stations in OT Zero Trust", "url": "/articles/linux/linux-ot-hmi-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-ot-hmi-hardening/", "category": "linux", "tags": ["ot-security","hmi","scada","application-control","ics"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Linux OT Jump Host Hardening: Zero Trust at the IT/OT Boundary", "url": "/articles/linux/linux-ot-jump-host-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-ot-jump-host-hardening/", "category": "linux", "tags": ["ot-security","jump-host","ics","zero-trust","application-control"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Linux USB Audio and ALSA Driver Security", "url": "/articles/linux/linux-usb-audio-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-usb-audio-security/", "category": "linux", "tags": ["usb","alsa","audio","cve-2026-23208","kernel","urb","driver-security"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-05-03T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Detecting Malicious npm postinstall Scripts at the Kernel Level", "url": "/articles/linux/npm-postinstall-kernel-detection/", "full_url": "https://www.systemshardening.com/articles/linux/npm-postinstall-kernel-detection/", "category": "linux", "tags": ["supply-chain","npm","auditd","ebpf","runtime-detection"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Caddy Web Server Security Hardening", "url": "/articles/network/caddy-web-server-security/", "full_url": "https://www.systemshardening.com/articles/network/caddy-web-server-security/", "category": "network", "tags": ["caddy","cve-2026-27586","cve-2026-27589","mtls","admin-api","forward-auth","tls"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["systems-engineer","sre","security-engineer"] }, { "title": "nginx Module and Upstream TLS Security", "url": "/articles/network/nginx-module-security/", "full_url": "https://www.systemshardening.com/articles/network/nginx-module-security/", "category": "network", "tags": ["nginx","cve-2026-1642","cve-2026-27654","tls","upstream","modules","buffer-overflow"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["systems-engineer","sre","security-engineer"] }, { "title": "Nginx UI Backup Disclosure: Lessons from CVE-2026-27944", "url": "/articles/network/nginx-ui-backup-disclosure/", "full_url": "https://www.systemshardening.com/articles/network/nginx-ui-backup-disclosure/", "category": "network", "tags": ["nginx","api-security","backup","cve","authentication"], "difficulty": "Intermediate", "reading_time_minutes": 10, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Detecting npm postinstall C2 Callbacks at the Network Layer", "url": "/articles/network/npm-postinstall-c2-egress-detection/", "full_url": "https://www.systemshardening.com/articles/network/npm-postinstall-c2-egress-detection/", "category": "network", "tags": ["supply-chain","npm","egress-filtering","suricata","dns-monitoring"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "OT Network Segmentation: Zero Trust with ISA/IEC 62443 Zones and Conduits", "url": "/articles/network/ot-network-segmentation-zero-trust/", "full_url": "https://www.systemshardening.com/articles/network/ot-network-segmentation-zero-trust/", "category": "network", "tags": ["ot-security","network-segmentation","ics","zero-trust","iec-62443"], "difficulty": "Advanced", "reading_time_minutes": 13, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "OT Remote Access Zero Trust: Replacing Persistent Vendor VPNs", "url": "/articles/network/ot-remote-access-zero-trust/", "full_url": "https://www.systemshardening.com/articles/network/ot-remote-access-zero-trust/", "category": "network", "tags": ["ot-security","remote-access","zero-trust","vendor-access","ics"], "difficulty": "Intermediate", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Grafana Plugin Trust and RCE: The CVE-2026-27876 Attack Chain", "url": "/articles/observability/grafana-plugin-trust-rce/", "full_url": "https://www.systemshardening.com/articles/observability/grafana-plugin-trust-rce/", "category": "observability", "tags": ["grafana","plugin-security","rce","cve","enterprise"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Runtime Detection of npm Supply Chain RAT Behaviour: Observing the Axios Attack Pattern", "url": "/articles/observability/npm-supply-chain-runtime-detection/", "full_url": "https://www.systemshardening.com/articles/observability/npm-supply-chain-runtime-detection/", "category": "observability", "tags": ["supply-chain","npm","sigma","runtime-detection","process-monitoring"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "OT Incident Response and Forensics: CISA's ICS Evidence Guidance", "url": "/articles/observability/ot-incident-response-forensics/", "full_url": "https://www.systemshardening.com/articles/observability/ot-incident-response-forensics/", "category": "observability", "tags": ["ot-security","incident-response","forensics","ics","mitre-attack"], "difficulty": "Advanced", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "OT Network Monitoring with CISA Malcolm: Visibility for ICS/SCADA", "url": "/articles/observability/ot-network-monitoring-malcolm/", "full_url": "https://www.systemshardening.com/articles/observability/ot-network-monitoring-malcolm/", "category": "observability", "tags": ["ot-security","malcolm","zeek","ics","anomaly-detection"], "difficulty": "Intermediate", "reading_time_minutes": 12, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "OpenTelemetry Language SDK Security", "url": "/articles/observability/otel-sdk-security/", "full_url": "https://www.systemshardening.com/articles/observability/otel-sdk-security/", "category": "observability", "tags": ["opentelemetry","otel-sdk","cve-2026-40182","cve-2026-40891","otlp","grpc","dos"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-03T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "Wazuh Cluster Security Hardening", "url": "/articles/observability/wazuh-cluster-security/", "full_url": "https://www.systemshardening.com/articles/observability/wazuh-cluster-security/", "category": "observability", "tags": ["wazuh","cve-2026-30893","cve-2026-25769","cluster-security","path-traversal","rce","siem"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "cargo-component WASM Build Tool Supply Chain Security", "url": "/articles/wasm/cargo-component-supply-chain/", "full_url": "https://www.systemshardening.com/articles/wasm/cargo-component-supply-chain/", "category": "wasm", "tags": ["cargo-component","wasm","supply-chain","proc-macro","build-rs","rust","component-model"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "Sandboxing npm postinstall Scripts with WASM: Containing the Axios RAT Pattern", "url": "/articles/wasm/wasm-npm-postinstall-sandbox/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-npm-postinstall-sandbox/", "category": "wasm", "tags": ["supply-chain","npm","wasi","sandboxing","postinstall"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "WebAssembly Sandboxing for OT Edge: WASI Capabilities as Conduit Enforcement", "url": "/articles/wasm/wasm-ot-edge-sandboxing/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-ot-edge-sandboxing/", "category": "wasm", "tags": ["ot-security","wasi","sandboxing","industrial-edge","wasmtime"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "WebAssembly OT Protocol Parsers: Memory-Safe Modbus and DNP3 Parsing", "url": "/articles/wasm/wasm-ot-protocol-parsers/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-ot-protocol-parsers/", "category": "wasm", "tags": ["ot-security","modbus","dnp3","wasm","protocol-parsing"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Wasmer WebAssembly Runtime Security", "url": "/articles/wasm/wasmer-runtime-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasmer-runtime-security/", "category": "wasm", "tags": ["wasmer","wasm","jit","cranelift","llvm","singlepass","sandbox","runtime-security"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "Wasmtime Async Component DoS: Hardening Against CVE-2026-27195", "url": "/articles/wasm/wasmtime-async-dos-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasmtime-async-dos-security/", "category": "wasm", "tags": ["wasmtime","component-model","async","denial-of-service","cve"], "difficulty": "Advanced", "reading_time_minutes": 11, "date": "2026-05-03T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "CrewAI Agent Sandbox Security", "url": "/articles/ai-landscape/crewai-sandbox-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/crewai-sandbox-security/", "category": "ai-landscape", "tags": ["crewai","cve-2026-2275","cve-2026-2287","sandbox","code-interpreter","ssrf","agent-security"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-05-02T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "HuggingFace Hub Supply Chain Security", "url": "/articles/ai-landscape/huggingface-model-hub-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/huggingface-model-hub-security/", "category": "ai-landscape", "tags": ["huggingface","model-hub","pickle","safetensors","supply-chain","ml-security","transformers"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "LangChain Serialization and Prompt Loading Security", "url": "/articles/ai-landscape/langchain-serialization-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/langchain-serialization-security/", "category": "ai-landscape", "tags": ["langchain","serialization","cve-2026-34070","cve-2025-68664","path-traversal","deserialization","supply-chain"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "LiteLLM Proxy Security Hardening", "url": "/articles/ai-landscape/litellm-proxy-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/litellm-proxy-security/", "category": "ai-landscape", "tags": ["litellm","llm-proxy","api-security","rate-limiting","spend-controls","multi-provider"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "MCP OAuth 2.1 Authorization Security", "url": "/articles/ai-landscape/mcp-oauth-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/mcp-oauth-security/", "category": "ai-landscape", "tags": ["mcp","oauth","authorization","llm","ai-agents","pkce","dynamic-client-registration"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-05-02T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "Ollama Production Deployment Security", "url": "/articles/ai-landscape/ollama-deployment-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ollama-deployment-security/", "category": "ai-landscape", "tags": ["ollama","cve-2026-5757","gguf","llm","api-security","unauthenticated","supply-chain"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "Argo CD ApplicationSet and Cluster Generator Security", "url": "/articles/cicd/argocd-applicationset-security/", "full_url": "https://www.systemshardening.com/articles/cicd/argocd-applicationset-security/", "category": "cicd", "tags": ["argocd","applicationset","gitops","cluster-generator","cve","privilege-escalation","supply-chain"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Dagger Pipeline Security", "url": "/articles/cicd/dagger-pipeline-security/", "full_url": "https://www.systemshardening.com/articles/cicd/dagger-pipeline-security/", "category": "cicd", "tags": ["dagger","pipeline-security","container","api-security","secrets","supply-chain"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "GitHub App Installation Token Security", "url": "/articles/cicd/github-app-token-security/", "full_url": "https://www.systemshardening.com/articles/cicd/github-app-token-security/", "category": "cicd", "tags": ["github","github-app","tokens","pat","supply-chain","secret-management","ci-cd"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Harbor Container Registry Security Hardening", "url": "/articles/cicd/harbor-registry-security/", "full_url": "https://www.systemshardening.com/articles/cicd/harbor-registry-security/", "category": "cicd", "tags": ["harbor","container-registry","cve-2026-4404","hardcoded-credentials","supply-chain","image-security"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "OpenTofu Provider and Module Supply Chain Security", "url": "/articles/cicd/opentofu-provider-supply-chain/", "full_url": "https://www.systemshardening.com/articles/cicd/opentofu-provider-supply-chain/", "category": "cicd", "tags": ["opentofu","terraform","provider","supply-chain","cve-2026-32280","tls","init"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Trusted Publishing to npm and PyPI with OIDC", "url": "/articles/cicd/trusted-publishing-oidc/", "full_url": "https://www.systemshardening.com/articles/cicd/trusted-publishing-oidc/", "category": "cicd", "tags": ["trusted-publishing","oidc","npm","pypi","supply-chain","github-actions","tokens"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Keycloak and ZITADEL Token Security Hardening", "url": "/articles/cross-cutting/keycloak-token-security/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/keycloak-token-security/", "category": "cross-cutting", "tags": ["keycloak","zitadel","token-security","oauth","cve-2026-1035","cve-2026-29191","identity","toctou"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-05-02T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "NIST CSF 2.0 Implementation Guide for Engineering Teams", "url": "/articles/cross-cutting/nist-csf-2-implementation/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/nist-csf-2-implementation/", "category": "cross-cutting", "tags": ["nist-csf","compliance","governance","risk-management","framework","security-program"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "OpenSSF Scorecard for Supply Chain Security", "url": "/articles/cross-cutting/openssf-scorecard-supply-chain/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/openssf-scorecard-supply-chain/", "category": "cross-cutting", "tags": ["openssf","scorecard","supply-chain","open-source","cve","security-posture","dependencies"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Internal Developer Platform Security", "url": "/articles/cross-cutting/platform-engineering-security/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/platform-engineering-security/", "category": "cross-cutting", "tags": ["platform-engineering","backstage","idp","service-catalog","scaffolding","supply-chain"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Splunk Enterprise Security Hardening", "url": "/articles/cross-cutting/splunk-enterprise-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/splunk-enterprise-hardening/", "category": "cross-cutting", "tags": ["splunk","cve-2026-20204","rce","file-upload","siem","svd-2026-0403","enterprise-security"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "HashiCorp Vault API Surface Hardening", "url": "/articles/cross-cutting/vault-api-surface-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/vault-api-surface-hardening/", "category": "cross-cutting", "tags": ["vault","hashicorp","api-security","cve-2026-5807","hcsec-2026-08","secrets-management","dos"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Cluster API Security for Kubernetes Fleet Management", "url": "/articles/kubernetes/cluster-api-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/cluster-api-security/", "category": "kubernetes", "tags": ["cluster-api","capi","fleet-management","bootstrap","iam","multi-cluster"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Kubernetes CSI NFS and SMB Driver Security", "url": "/articles/kubernetes/csi-nfs-smb-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/csi-nfs-smb-security/", "category": "kubernetes", "tags": ["csi","nfs","smb","cve-2026-3864","cve-2026-3865","path-traversal","storage-security"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "gRPC-Go HTTP/2 Authorization Bypass Hardening", "url": "/articles/kubernetes/grpc-go-authorization-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/grpc-go-authorization-security/", "category": "kubernetes", "tags": ["grpc","grpc-go","cve-2026-33186","authorization","http2","path-header","kubernetes"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "ingress-nginx Annotation Injection Hardening", "url": "/articles/kubernetes/ingress-nginx-injection-hardening/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ingress-nginx-injection-hardening/", "category": "kubernetes", "tags": ["ingress-nginx","annotation-injection","cve-2026-3288","kubernetes","admission-control","rce"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "KubeVirt VM Security on Kubernetes", "url": "/articles/kubernetes/kubevirt-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubevirt-security/", "category": "kubernetes", "tags": ["kubevirt","vm-security","virtualization","qemu","libvirt","live-migration"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "OCI Image Volume Security in Kubernetes", "url": "/articles/kubernetes/oci-image-volume-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/oci-image-volume-security/", "category": "kubernetes", "tags": ["oci","image-volumes","kep-4639","supply-chain","admission-control","kubernetes"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "eBPF Verifier Security Hardening", "url": "/articles/linux/ebpf-verifier-security/", "full_url": "https://www.systemshardening.com/articles/linux/ebpf-verifier-security/", "category": "linux", "tags": ["ebpf","verifier","kernel","lpe","bpf","ghsa-hfqc-63c7-rj9f","privilege-escalation"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-05-02T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Linux Kernel Keyring Security and TPM2-Backed Keyrings", "url": "/articles/linux/linux-kernel-keyring-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-kernel-keyring-security/", "category": "linux", "tags": ["keyring","tpm2","ima","keyctl","kernel","credentials","pkcs11"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Linux netfilter and nf_tables Security Hardening", "url": "/articles/linux/linux-netfilter-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-netfilter-security/", "category": "linux", "tags": ["netfilter","nftables","nf-tables","cve-2026-31414","kernel","lpe","connection-tracking"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-05-02T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Linux Page-Cache and splice() Security", "url": "/articles/linux/linux-page-cache-splice-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-page-cache-splice-security/", "category": "linux", "tags": ["page-cache","splice","af-alg","cve-2026-31431","kernel","lpe","crypto-api"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-05-02T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "runc Container Runtime Security and CVE Hardening", "url": "/articles/linux/runc-container-runtime-security/", "full_url": "https://www.systemshardening.com/articles/linux/runc-container-runtime-security/", "category": "linux", "tags": ["runc","container-runtime","cve","mount-namespace","seccomp","apparmor","supply-chain"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-05-02T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "systemd Encrypted Service Credentials", "url": "/articles/linux/systemd-credentials-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/systemd-credentials-hardening/", "category": "linux", "tags": ["systemd","credentials","tpm2","secrets","service-hardening","encryption"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-02T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "BGP FlowSpec for DDoS Mitigation and Traffic Steering", "url": "/articles/network/bgp-flowspec-ddos/", "full_url": "https://www.systemshardening.com/articles/network/bgp-flowspec-ddos/", "category": "network", "tags": ["bgp","flowspec","ddos","rtbh","gobgp","frr","traffic-engineering"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["systems-engineer","sre","security-engineer"] }, { "title": "Cilium L7 Network Policy Security", "url": "/articles/network/cilium-l7-policy-security/", "full_url": "https://www.systemshardening.com/articles/network/cilium-l7-policy-security/", "category": "network", "tags": ["cilium","l7-policy","cve-2026-33726","network-policy","envoy","per-endpoint-routing"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Istio RBAC and Header Policy Security", "url": "/articles/network/istio-rbac-header-security/", "full_url": "https://www.systemshardening.com/articles/network/istio-rbac-header-security/", "category": "network", "tags": ["istio","rbac","cve-2026-26308","cve-2026-22771","envoy","header-policy","service-mesh"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Link-Layer Security: ARP Spoofing Defence and DHCP Snooping", "url": "/articles/network/link-layer-security/", "full_url": "https://www.systemshardening.com/articles/network/link-layer-security/", "category": "network", "tags": ["arp","dhcp","link-layer","spoofing","nd-guard","arptables","network-security"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["systems-engineer","sre","security-engineer"] }, { "title": "Traefik Authentication Middleware Security", "url": "/articles/network/traefik-auth-middleware-security/", "full_url": "https://www.systemshardening.com/articles/network/traefik-auth-middleware-security/", "category": "network", "tags": ["traefik","cve-2026-40912","cve-2026-39858","forwardauth","middleware","auth-bypass","proxy"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "VXLAN and Geneve Overlay Network Security", "url": "/articles/network/vxlan-geneve-overlay-security/", "full_url": "https://www.systemshardening.com/articles/network/vxlan-geneve-overlay-security/", "category": "network", "tags": ["vxlan","geneve","overlay","vtep","network-security","cloud-native","encapsulation"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["systems-engineer","sre","security-engineer"] }, { "title": "Grafana Beyla eBPF Auto-Instrumentation Security", "url": "/articles/observability/beyla-ebpf-autoinstrumentation-security/", "full_url": "https://www.systemshardening.com/articles/observability/beyla-ebpf-autoinstrumentation-security/", "category": "observability", "tags": ["beyla","ebpf","auto-instrumentation","observability","cap-bpf","opentelemetry","pii"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "Grafana SQL Expressions and Plugin RCE Hardening", "url": "/articles/observability/grafana-sql-expressions-security/", "full_url": "https://www.systemshardening.com/articles/observability/grafana-sql-expressions-security/", "category": "observability", "tags": ["grafana","sql-expressions","cve-2026-27876","plugin-security","rce","feature-toggle"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "Graylog Security Hardening", "url": "/articles/observability/graylog-security-hardening/", "full_url": "https://www.systemshardening.com/articles/observability/graylog-security-hardening/", "category": "observability", "tags": ["graylog","cve-2026-1435","cve-2026-1436","session-fixation","idor","log-management","siem"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "OpenTelemetry Tail-Based Sampling for Security-Critical Traces", "url": "/articles/observability/otel-tail-sampling-security/", "full_url": "https://www.systemshardening.com/articles/observability/otel-tail-sampling-security/", "category": "observability", "tags": ["opentelemetry","tail-sampling","tracing","otel-collector","security-traces","sampling"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-02T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "Prometheus Remote Write and Config Endpoint Security", "url": "/articles/observability/prometheus-remote-write-security/", "full_url": "https://www.systemshardening.com/articles/observability/prometheus-remote-write-security/", "category": "observability", "tags": ["prometheus","remote-write","cve-2026-42151","cve-2026-42154","oauth","credential-exposure","xss"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "Vector Log Pipeline Security", "url": "/articles/observability/vector-log-pipeline-security/", "full_url": "https://www.systemshardening.com/articles/observability/vector-log-pipeline-security/", "category": "observability", "tags": ["vector","log-pipeline","lua","transforms","credentials","supply-chain","datadog"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "jco JavaScript/WASM Component Model Security", "url": "/articles/wasm/jco-wasm-component-security/", "full_url": "https://www.systemshardening.com/articles/wasm/jco-wasm-component-security/", "category": "wasm", "tags": ["jco","wasm","component-model","wasi","node-js","deno","capability-security","javascript"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "WASM AOT Compilation Pipeline Security", "url": "/articles/wasm/wasm-aot-compilation-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-aot-compilation-security/", "category": "wasm", "tags": ["wasm","aot","compilation","supply-chain","wasmtime","wasmedge","signing","toolchain"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "WASM Exception Handling v2 Security", "url": "/articles/wasm/wasm-exception-handling-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-exception-handling-security/", "category": "wasm", "tags": ["wasm","exception-handling","try-table","wasmtime","v8","multi-tenancy","sandbox"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "WASM memory64 Security Implications", "url": "/articles/wasm/wasm-memory64-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-memory64-security/", "category": "wasm", "tags": ["wasm","memory64","linear-memory","integer-overflow","wasmtime","v8","sandbox"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "WASM Tail Calls Security Implications", "url": "/articles/wasm/wasm-tail-calls-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-tail-calls-security/", "category": "wasm", "tags": ["wasm","tail-calls","return-call","stack-depth","wasmtime","v8","security-tools"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-05-02T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "Wasmtime WASI Resource Limit Security", "url": "/articles/wasm/wasmtime-wasi-resource-limits/", "full_url": "https://www.systemshardening.com/articles/wasm/wasmtime-wasi-resource-limits/", "category": "wasm", "tags": ["wasmtime","wasi","cve-2026-27572","resource-limits","dos","wasi-http","sandbox"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-02T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","systems-engineer"] }, { "title": "AI Code Assistant Security: Prompt Leakage, Code Exfiltration, and IDE Plugin Risks", "url": "/articles/ai-landscape/ai-code-assistant-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-code-assistant-security/", "category": "ai-landscape", "tags": ["code-assistant","copilot","ide-security","data-exfiltration","intellectual-property"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","ciso","platform-engineer"] }, { "title": "Differential Privacy for ML Training: ε-DP Guarantees and Implementation", "url": "/articles/ai-landscape/differential-privacy-ml/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/differential-privacy-ml/", "category": "ai-landscape", "tags": ["differential-privacy","dp-sgd","opacus","tensorflow-privacy","ml-security","privacy"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "LLM Multi-Turn Security: Context Accumulation Attacks, Session Isolation, and Memory Poisoning", "url": "/articles/ai-landscape/llm-multi-turn-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-multi-turn-security/", "category": "ai-landscape", "tags": ["llm-security","multi-turn","context-injection","session-isolation","memory-poisoning"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "LLM Structured Output Security: JSON Schema Injection, Type Confusion, and Schema Enforcement", "url": "/articles/ai-landscape/llm-structured-output-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-structured-output-security/", "category": "ai-landscape", "tags": ["structured-output","json-schema","llm-security","output-validation","type-confusion"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "LLM System Prompt Protection: Confidentiality, Injection Resistance, and Extraction Prevention", "url": "/articles/ai-landscape/llm-system-prompt-protection/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-system-prompt-protection/", "category": "ai-landscape", "tags": ["system-prompt","prompt-injection","llm-security","confidentiality","jailbreak"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "vLLM Production Security Hardening", "url": "/articles/ai-landscape/vllm-production-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/vllm-production-security/", "category": "ai-landscape", "tags": ["vllm","llm","inference","api-security","gpu","cuda","rate-limiting","authentication"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-05-01T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "Argo CD Security Hardening: RBAC, SSO, and Repository Access Controls", "url": "/articles/cicd/argocd-security-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/argocd-security-hardening/", "category": "cicd", "tags": ["argocd","gitops","rbac","sso","kubernetes-security","cicd"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "BuildKit Rootless Build Security", "url": "/articles/cicd/buildkit-rootless-security/", "full_url": "https://www.systemshardening.com/articles/cicd/buildkit-rootless-security/", "category": "cicd", "tags": ["buildkit","rootless","docker","container-build","user-namespaces","supply-chain","secrets"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Flux CD Security: GitRepository Authentication, Kustomization Trust, and RBAC", "url": "/articles/cicd/flux-cd-security/", "full_url": "https://www.systemshardening.com/articles/cicd/flux-cd-security/", "category": "cicd", "tags": ["flux","gitops","kubernetes","rbac","git-authentication","supply-chain"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "GitLab CI Security: Protected Variables, Runner Isolation, and Pipeline Hardening", "url": "/articles/cicd/gitlab-ci-security/", "full_url": "https://www.systemshardening.com/articles/cicd/gitlab-ci-security/", "category": "cicd", "tags": ["gitlab","cicd","pipeline-security","runners","variables","protected-branches"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Jenkins Security Hardening: Authentication, Plugin Management, and Agent Isolation", "url": "/articles/cicd/jenkins-security-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/jenkins-security-hardening/", "category": "cicd", "tags": ["jenkins","authentication","plugins","agents","cicd-security"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Tekton Pipeline Security: TaskRun Isolation, Workspace Permissions, and RBAC", "url": "/articles/cicd/tekton-pipeline-security/", "full_url": "https://www.systemshardening.com/articles/cicd/tekton-pipeline-security/", "category": "cicd", "tags": ["tekton","kubernetes","pipeline-security","rbac","workspace","cicd"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Bug Bounty Program Setup: Scope, Triage, and Researcher Relations", "url": "/articles/cross-cutting/bug-bounty-program/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/bug-bounty-program/", "category": "cross-cutting", "tags": ["bug-bounty","vulnerability-disclosure","researcher-relations","security-program"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","ciso"] }, { "title": "Fine-Grained Authorization with Cedar Policy Language", "url": "/articles/cross-cutting/cedar-policy-authorization/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/cedar-policy-authorization/", "category": "cross-cutting", "tags": ["cedar","authorization","policy","aws","verified-permissions","rbac","abac","policy-as-code"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "Data Loss Prevention for Cloud Environments: Classification, Egress Controls, and Monitoring", "url": "/articles/cross-cutting/data-loss-prevention/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/data-loss-prevention/", "category": "cross-cutting", "tags": ["dlp","data-classification","egress-control","data-exfiltration","cloud-security"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","ciso","platform-engineer"] }, { "title": "DevSecOps Maturity Model: Measuring and Advancing Security Programme Capability", "url": "/articles/cross-cutting/devsecops-maturity-model/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/devsecops-maturity-model/", "category": "cross-cutting", "tags": ["devsecops","maturity-model","security-programme","measurement","capability"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["ciso","security-engineer","platform-engineer"] }, { "title": "Penetration Testing Methodology: Scoping, Execution, and Findings Management", "url": "/articles/cross-cutting/penetration-testing-methodology/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/penetration-testing-methodology/", "category": "cross-cutting", "tags": ["penetration-testing","red-team","vulnerability-assessment","scoping","findings-management"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","ciso","platform-engineer"] }, { "title": "Vulnerability Management Program: Scanning, SLAs, and Risk-Based Prioritisation", "url": "/articles/cross-cutting/vulnerability-management-program/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/vulnerability-management-program/", "category": "cross-cutting", "tags": ["vulnerability-management","cvss","patching","sla","risk-based","scanning"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","ciso","platform-engineer"] }, { "title": "CoreDNS Security Hardening: Rebinding Protection, Plugin Configuration, and DNSSEC Forwarding", "url": "/articles/kubernetes/coredns-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/coredns-security/", "category": "kubernetes", "tags": ["coredns","dns","kubernetes","rebinding","plugin-security"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Karpenter Node Provisioning Security", "url": "/articles/kubernetes/karpenter-node-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/karpenter-node-security/", "category": "kubernetes", "tags": ["karpenter","node-security","iam","ec2","nodepool","kubernetes","eks"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "kube-bench: CIS Kubernetes Benchmark Automation and Remediation", "url": "/articles/kubernetes/kube-bench-cis-benchmark/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kube-bench-cis-benchmark/", "category": "kubernetes", "tags": ["kube-bench","cis-benchmark","compliance","kubernetes-hardening","security-posture"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Kubernetes CronJob Security: Least Privilege, Concurrency Controls, and Credential Isolation", "url": "/articles/kubernetes/kubernetes-cronjob-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-cronjob-security/", "category": "kubernetes", "tags": ["cronjob","kubernetes","least-privilege","credentials","concurrency","rbac"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Kubernetes Operator Security: RBAC Scoping, Webhook Hardening, and Privilege Minimisation", "url": "/articles/kubernetes/kubernetes-operator-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-operator-security/", "category": "kubernetes", "tags": ["operators","rbac","webhooks","crd","kubernetes-security","controller"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Kubernetes Resource Quotas and LimitRanges: Preventing Noisy Neighbour and Denial of Service", "url": "/articles/kubernetes/resource-quotas-limitranges/", "full_url": "https://www.systemshardening.com/articles/kubernetes/resource-quotas-limitranges/", "category": "kubernetes", "tags": ["resource-quota","limitrange","multi-tenancy","dos-prevention","kubernetes-security"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Linux Binary Hardening: ASLR, PIE, RELRO, and FORTIFY_SOURCE", "url": "/articles/linux/linux-memory-protections/", "full_url": "https://www.systemshardening.com/articles/linux/linux-memory-protections/", "category": "linux", "tags": ["aslr","pie","relro","fortify-source","binary-hardening","exploit-mitigations"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Linux Package Manager Security: APT/DNF Signature Verification, Mirror Pinning, and Supply Chain Hardening", "url": "/articles/linux/package-manager-security/", "full_url": "https://www.systemshardening.com/articles/linux/package-manager-security/", "category": "linux", "tags": ["apt","dnf","package-manager","supply-chain","gpg","linux-hardening"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Linux Rootkit Detection: rkhunter, Kernel Module Auditing, and Integrity Verification", "url": "/articles/linux/rootkit-detection/", "full_url": "https://www.systemshardening.com/articles/linux/rootkit-detection/", "category": "linux", "tags": ["rootkit","rkhunter","integrity","kernel-modules","linux-hardening","forensics"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "SSH Certificate Authority: Short-Lived User Certificates and Host Verification", "url": "/articles/linux/ssh-certificate-authority/", "full_url": "https://www.systemshardening.com/articles/linux/ssh-certificate-authority/", "category": "linux", "tags": ["ssh","certificate-authority","pki","short-lived-certificates","access-control"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Sudo Hardening: Least Privilege, sudoers Configuration, and Privilege Escalation Prevention", "url": "/articles/linux/sudo-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/sudo-hardening/", "category": "linux", "tags": ["sudo","privilege-escalation","sudoers","least-privilege","linux-hardening"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Unified Kernel Image and Measured Boot Hardening", "url": "/articles/linux/uki-secure-boot-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/uki-secure-boot-hardening/", "category": "linux", "tags": ["uki","secure-boot","measured-boot","tpm2","systemd-boot","ima","pcr"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-05-01T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Private Encrypted DNS Infrastructure with DoH and DoT", "url": "/articles/network/encrypted-dns-infrastructure/", "full_url": "https://www.systemshardening.com/articles/network/encrypted-dns-infrastructure/", "category": "network", "tags": ["dns","doh","dot","dnscrypt","unbound","resolver","privacy","tls"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-05-01T00:00:00.000Z", "personas": ["systems-engineer","sre","security-engineer"] }, { "title": "IPsec VPN Hardening: IKEv2, StrongSwan, and Certificate-Based Authentication", "url": "/articles/network/ipsec-vpn-hardening/", "full_url": "https://www.systemshardening.com/articles/network/ipsec-vpn-hardening/", "category": "network", "tags": ["ipsec","ikev2","strongswan","vpn","certificate","network-security"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Network Segmentation Patterns: Micro-segmentation, East-West Controls, and Zero-Trust Zones", "url": "/articles/network/network-segmentation-patterns/", "full_url": "https://www.systemshardening.com/articles/network/network-segmentation-patterns/", "category": "network", "tags": ["network-segmentation","micro-segmentation","east-west","zero-trust","vlan","firewall"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "SNMP v3 Hardening: Authentication, Encryption, and View-Based Access Control", "url": "/articles/network/snmp-v3-hardening/", "full_url": "https://www.systemshardening.com/articles/network/snmp-v3-hardening/", "category": "network", "tags": ["snmp","snmpv3","network-monitoring","network-security","view-based-access"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Suricata IDS/IPS: Host and Container Network Intrusion Detection", "url": "/articles/network/suricata-ids-ips/", "full_url": "https://www.systemshardening.com/articles/network/suricata-ids-ips/", "category": "network", "tags": ["suricata","ids","ips","intrusion-detection","network-security","nfqueue"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "TLS Certificate Transparency Monitoring: CT Logs, CAA Records, and Misissuance Detection", "url": "/articles/network/tls-certificate-transparency/", "full_url": "https://www.systemshardening.com/articles/network/tls-certificate-transparency/", "category": "network", "tags": ["certificate-transparency","tls","caa","pki","misissuance","monitoring"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Prometheus Alertmanager Security: Receiver Credentials, Silencing Controls, and Inhibition Rules", "url": "/articles/observability/alertmanager-security/", "full_url": "https://www.systemshardening.com/articles/observability/alertmanager-security/", "category": "observability", "tags": ["alertmanager","prometheus","alerting","security","silence","receiver"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Continuous Profiling Security with Parca and Pyroscope", "url": "/articles/observability/continuous-profiling-security/", "full_url": "https://www.systemshardening.com/articles/observability/continuous-profiling-security/", "category": "observability", "tags": ["profiling","parca","pyroscope","ebpf","pii","observability","access-control"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-05-01T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "Distributed Tracing Security: Jaeger, Tempo, and Sensitive Span Data Scrubbing", "url": "/articles/observability/distributed-tracing-security/", "full_url": "https://www.systemshardening.com/articles/observability/distributed-tracing-security/", "category": "observability", "tags": ["jaeger","tempo","tracing","opentelemetry","pii","span-scrubbing"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Elasticsearch Security Hardening: TLS, Role-Based Access, and Audit Logging", "url": "/articles/observability/elasticsearch-security-hardening/", "full_url": "https://www.systemshardening.com/articles/observability/elasticsearch-security-hardening/", "category": "observability", "tags": ["elasticsearch","opensearch","elk-stack","tls","rbac","audit-logging"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Grafana Security Hardening: Authentication, RBAC, and Data Source Permissions", "url": "/articles/observability/grafana-security-hardening/", "full_url": "https://www.systemshardening.com/articles/observability/grafana-security-hardening/", "category": "observability", "tags": ["grafana","authentication","rbac","data-source","observability-security"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Loki Security Hardening: Authentication, Tenant Isolation, and Log Tampering Prevention", "url": "/articles/observability/loki-security-hardening/", "full_url": "https://www.systemshardening.com/articles/observability/loki-security-hardening/", "category": "observability", "tags": ["loki","logging","authentication","multi-tenancy","log-security"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Extism Plugin Security: Host/Guest Trust Boundaries and Capability Isolation", "url": "/articles/wasm/extism-plugin-security/", "full_url": "https://www.systemshardening.com/articles/wasm/extism-plugin-security/", "category": "wasm", "tags": ["extism","wasm","plugin-system","host-guest","capability","sandbox"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Open Policy Agent with WASM: Policy Compilation, Sandboxed Evaluation, and Performance", "url": "/articles/wasm/opa-wasm-policy/", "full_url": "https://www.systemshardening.com/articles/wasm/opa-wasm-policy/", "category": "wasm", "tags": ["opa","wasm","rego","policy","authorisation","sandbox"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "WebAssembly Dynamic Linking Security: Module Composition, Trust Chains, and Plugin Graphs", "url": "/articles/wasm/wasm-dynamic-linking-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-dynamic-linking-security/", "category": "wasm", "tags": ["wasm","dynamic-linking","component-model","trust-boundary","module-composition"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "WASM Linear Memory Safety: Bounds Checking, Buffer Overflows, and Stack Protection", "url": "/articles/wasm/wasm-linear-memory-safety/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-linear-memory-safety/", "category": "wasm", "tags": ["wasm","memory-safety","buffer-overflow","linear-memory","stack-protection"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "WASM Toolchain Security: Compiler Flags, Binaryen Optimisations, and Build Supply Chain", "url": "/articles/wasm/wasm-toolchain-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-toolchain-security/", "category": "wasm", "tags": ["wasm","toolchain","emscripten","wasi-sdk","binaryen","supply-chain","compiler-flags"], "difficulty": "advanced", "reading_time_minutes": 12, "date": "2026-05-01T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "WasmGC Security Implications for Multi-Tenant Runtimes", "url": "/articles/wasm/wasmgc-security-implications/", "full_url": "https://www.systemshardening.com/articles/wasm/wasmgc-security-implications/", "category": "wasm", "tags": ["wasm","wasmgc","garbage-collection","multi-tenant","type-safety","memory-safety","v8","wasmtime"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-05-01T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "AI Agent Kill Switches and Human Override Mechanisms", "url": "/articles/ai-landscape/ai-agent-kill-switches/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-agent-kill-switches/", "category": "ai-landscape", "tags": ["ai-agents","kill-switch","human-oversight","corrigibility","interrupt"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "AI Model Weight Security: Protecting Proprietary Parameters from Theft and Exfiltration", "url": "/articles/ai-landscape/ai-model-weight-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-model-weight-security/", "category": "ai-landscape", "tags": ["model-weights","ip-protection","watermarking","iam","ai-security"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "Federated Learning Security: Gradient Poisoning, Byzantine Clients, and Secure Aggregation", "url": "/articles/ai-landscape/federated-learning-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/federated-learning-security/", "category": "ai-landscape", "tags": ["federated-learning","gradient-poisoning","byzantine","secure-aggregation","privacy"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-30T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "LLM Hallucination Detection for Security-Critical Decisions", "url": "/articles/ai-landscape/llm-hallucination-detection/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-hallucination-detection/", "category": "ai-landscape", "tags": ["hallucination","llm","security-automation","rag","grounding"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "Branch Protection and Code Review Security at Scale", "url": "/articles/cicd/branch-protection-code-review/", "full_url": "https://www.systemshardening.com/articles/cicd/branch-protection-code-review/", "category": "cicd", "tags": ["branch-protection","code-review","codeowners","github","supply-chain"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Container Build Hardening: BuildKit Secrets, Rootless Builds, and Multi-Stage Security", "url": "/articles/cicd/container-build-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/container-build-hardening/", "category": "cicd", "tags": ["docker","buildkit","container","supply-chain","hardening"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Private Package Registry Security: Dependency Confusion and Namespace Protection", "url": "/articles/cicd/private-package-registry-security/", "full_url": "https://www.systemshardening.com/articles/cicd/private-package-registry-security/", "category": "cicd", "tags": ["supply-chain","npm","pypi","registry","dependency-confusion"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Terraform State Security: Remote Backends, Encryption, and Drift Detection", "url": "/articles/cicd/terraform-state-security/", "full_url": "https://www.systemshardening.com/articles/cicd/terraform-state-security/", "category": "cicd", "tags": ["terraform","state","backend","encryption","drift-detection"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Cloud Security Posture Management: Automated Drift Detection and Compliance", "url": "/articles/cross-cutting/cloud-security-posture-management/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/cloud-security-posture-management/", "category": "cross-cutting", "tags": ["cspm","cloud-security","misconfiguration","compliance","drift-detection"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Kafka Security Hardening: Authentication, ACLs, Encryption, and Schema Registry", "url": "/articles/cross-cutting/kafka-security-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/kafka-security-hardening/", "category": "cross-cutting", "tags": ["kafka","sasl","acl","tls","message-queue"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Security Metrics Program: KPIs, Dashboards, and Board Reporting", "url": "/articles/cross-cutting/security-metrics-program/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/security-metrics-program/", "category": "cross-cutting", "tags": ["metrics","kpi","dashboard","board-reporting","security-posture"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "Third-Party Vendor Security Assessment: Questionnaires, Monitoring, and SLAs", "url": "/articles/cross-cutting/vendor-security-assessment/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/vendor-security-assessment/", "category": "cross-cutting", "tags": ["vendor-management","third-party-risk","supply-chain","questionnaire","sla"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","ciso","platform-engineer"] }, { "title": "Cilium Network Policy: FQDN Filtering, L7 Policies, and Hubble Observability", "url": "/articles/kubernetes/cilium-network-policy/", "full_url": "https://www.systemshardening.com/articles/kubernetes/cilium-network-policy/", "category": "kubernetes", "tags": ["cilium","network-policy","fqdn","ebpf","hubble"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Kubernetes OIDC Authentication and kubectl Access Control", "url": "/articles/kubernetes/kubernetes-oidc-authentication/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-oidc-authentication/", "category": "kubernetes", "tags": ["oidc","kubectl","authentication","rbac","kubernetes"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Kyverno Policy Development and Testing: Validate, Mutate, and Generate", "url": "/articles/kubernetes/kyverno-policy-development/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kyverno-policy-development/", "category": "kubernetes", "tags": ["kyverno","policy","admission-control","validation","kubernetes"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Kubernetes Backup Security with Velero: Encryption, RBAC, and Immutable Storage", "url": "/articles/kubernetes/velero-backup-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/velero-backup-security/", "category": "kubernetes", "tags": ["velero","backup","encryption","ransomware","kubernetes"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Linux Kernel Live Patching: kpatch and livepatch for Zero-Day Response", "url": "/articles/linux/kernel-live-patching/", "full_url": "https://www.systemshardening.com/articles/linux/kernel-live-patching/", "category": "linux", "tags": ["kernel","live-patching","kpatch","livepatch","zero-day"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Linux User Namespace Security: Attack Surface Reduction and Safe Delegation", "url": "/articles/linux/linux-user-namespace-security/", "full_url": "https://www.systemshardening.com/articles/linux/linux-user-namespace-security/", "category": "linux", "tags": ["user-namespaces","namespaces","kernel","containers","privilege-escalation"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "LUKS Disk Encryption with TPM2 Sealing: Measured Boot and Network-Bound Unlock", "url": "/articles/linux/luks-tpm2-sealing/", "full_url": "https://www.systemshardening.com/articles/linux/luks-tpm2-sealing/", "category": "linux", "tags": ["luks","tpm2","disk-encryption","clevis","tang"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "Seccomp-BPF for Non-Container Workloads: Syscall Filtering for System Services", "url": "/articles/linux/seccomp-bpf-non-container/", "full_url": "https://www.systemshardening.com/articles/linux/seccomp-bpf-non-container/", "category": "linux", "tags": ["seccomp","bpf","syscall","systemd","hardening"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "DNS Response Policy Zones: Blocking C2 Domains with Internal Resolver Threat Intelligence", "url": "/articles/network/dns-rpz-threat-intelligence/", "full_url": "https://www.systemshardening.com/articles/network/dns-rpz-threat-intelligence/", "category": "network", "tags": ["dns","rpz","threat-intelligence","c2","resolver"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Email Security Hardening: SPF, DKIM, DMARC, and BIMI", "url": "/articles/network/email-security-spf-dkim-dmarc/", "full_url": "https://www.systemshardening.com/articles/network/email-security-spf-dkim-dmarc/", "category": "network", "tags": ["email","spf","dkim","dmarc","bimi"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "Network Time Security: Authenticated NTP for Infrastructure", "url": "/articles/network/network-time-security-nts/", "full_url": "https://www.systemshardening.com/articles/network/network-time-security-nts/", "category": "network", "tags": ["ntp","nts","time-security","chrony","infrastructure"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "SSH Bastion Host and Jump Server Hardening", "url": "/articles/network/ssh-bastion-hardening/", "full_url": "https://www.systemshardening.com/articles/network/ssh-bastion-hardening/", "category": "network", "tags": ["ssh","bastion","jump-server","session-recording","mfa"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Application Security Logging: Structured Events, PII Redaction, and SIEM Integration", "url": "/articles/observability/application-security-logging/", "full_url": "https://www.systemshardening.com/articles/observability/application-security-logging/", "category": "observability", "tags": ["logging","siem","pii","security-events","structured-logging"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "Cloud Provider Audit Logs: CloudTrail, GCP Audit Logs, and Azure Monitor Hardening", "url": "/articles/observability/cloud-provider-audit-logs/", "full_url": "https://www.systemshardening.com/articles/observability/cloud-provider-audit-logs/", "category": "observability", "tags": ["cloudtrail","gcp-audit","azure-monitor","cloud","audit-logs"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "Network Flow Analysis: NetFlow, IPFIX, and eBPF for Traffic Anomaly Detection", "url": "/articles/observability/network-flow-analysis/", "full_url": "https://www.systemshardening.com/articles/observability/network-flow-analysis/", "category": "observability", "tags": ["netflow","ipfix","ebpf","flow-analysis","anomaly-detection"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "Security Chaos Engineering: Testing Detection and Response Capabilities", "url": "/articles/observability/security-chaos-engineering/", "full_url": "https://www.systemshardening.com/articles/observability/security-chaos-engineering/", "category": "observability", "tags": ["chaos-engineering","detection-testing","atomic-red-team","purple-team","validation"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "WASM in the Browser: Content Security Policy, Origin Isolation, and Subresource Integrity", "url": "/articles/wasm/wasm-browser-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-browser-security/", "category": "wasm", "tags": ["wasm","browser","csp","sri","cross-origin-isolation"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "WASM Debugging Security: Stripping Debug Symbols, Source Maps, and Build Hardening", "url": "/articles/wasm/wasm-debug-symbol-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-debug-symbol-security/", "category": "wasm", "tags": ["wasm","debug-symbols","source-maps","binary-hardening","ip-protection"], "difficulty": "intermediate", "reading_time_minutes": 12, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "wasmCloud Security: Actor Authentication, Capability Providers, and Lattice Trust", "url": "/articles/wasm/wasmcloud-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasmcloud-security/", "category": "wasm", "tags": ["wasmcloud","wasm","nkeys","lattice","capability-providers"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "WasmEdge Security: Sandboxing AI Inference, Plugins, and Serverless Functions", "url": "/articles/wasm/wasmedge-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasmedge-security/", "category": "wasm", "tags": ["wasmedge","wasm","sandbox","ai-inference","serverless","capability"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "AI Agent Observability and Tracing: OpenTelemetry for Agent Runs and Tool Calls", "url": "/articles/ai-landscape/ai-agent-observability/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-agent-observability/", "category": "ai-landscape", "tags": ["agent","observability","opentelemetry","tracing","ai-security"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "AI Model Output Watermarking: Provenance for Generated Text and Code", "url": "/articles/ai-landscape/ai-output-watermarking/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-output-watermarking/", "category": "ai-landscape", "tags": ["watermarking","synthid","ai-provenance","llm","detection"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","trust-and-safety"] }, { "title": "Continuous AI Red-Teaming Pipelines: Automated Adversarial Testing in CI", "url": "/articles/ai-landscape/continuous-red-teaming/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/continuous-red-teaming/", "category": "ai-landscape", "tags": ["red-teaming","ai-safety","evaluation","ci","prompt-injection"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "Multi-Modal Model Attack Surfaces: Vision, Audio, and Cross-Modal Injection", "url": "/articles/ai-landscape/multimodal-attack-surfaces/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/multimodal-attack-surfaces/", "category": "ai-landscape", "tags": ["multi-modal","vision","adversarial","prompt-injection","ai-security"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "Privacy-Preserving ML Inference: Differential Privacy, Confidential Computing, and Training Data Protection", "url": "/articles/ai-landscape/privacy-preserving-ml-inference/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/privacy-preserving-ml-inference/", "category": "ai-landscape", "tags": ["privacy","differential-privacy","confidential-computing","ml-inference","tee"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["ml-engineer","security-engineer","platform-engineer"] }, { "title": "GitHub Advanced Security: Secret Scanning, CodeQL, and Dependabot at Scale", "url": "/articles/cicd/github-advanced-security/", "full_url": "https://www.systemshardening.com/articles/cicd/github-advanced-security/", "category": "cicd", "tags": ["github","ghas","secret-scanning","codeql","dependabot"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "Just-in-Time CI Access for Production Deploys: Approval Flows and Bounded Permissions", "url": "/articles/cicd/jit-ci-access/", "full_url": "https://www.systemshardening.com/articles/cicd/jit-ci-access/", "category": "cicd", "tags": ["jit","cicd","production-access","approval","access-management"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","devops"] }, { "title": "Renovate and Dependabot Security Configuration: Auto-Merge Boundaries and Scope Rules", "url": "/articles/cicd/renovate-dependabot-security/", "full_url": "https://www.systemshardening.com/articles/cicd/renovate-dependabot-security/", "category": "cicd", "tags": ["renovate","dependabot","supply-chain","auto-merge","dependencies"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","devops"] }, { "title": "GitHub Apps vs PATs vs Deploy Keys vs OIDC: Choosing the Right SCM Identity", "url": "/articles/cicd/scm-identity-choice/", "full_url": "https://www.systemshardening.com/articles/cicd/scm-identity-choice/", "category": "cicd", "tags": ["github","scm","identity","github-apps","oidc","pat"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","devops"] }, { "title": "Sigstore Keyless Signing and Cosign Verification: Fulcio, Rekor, and Policy Enforcement", "url": "/articles/cicd/sigstore-keyless-signing/", "full_url": "https://www.systemshardening.com/articles/cicd/sigstore-keyless-signing/", "category": "cicd", "tags": ["sigstore","cosign","supply-chain","signing","transparency"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "API Key Lifecycle at Scale: Issuance, Rotation, Scoping, and Audit Across Cloud and SaaS", "url": "/articles/cross-cutting/api-key-lifecycle/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/api-key-lifecycle/", "category": "cross-cutting", "tags": ["api-keys","lifecycle","credentials","rotation","saas"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","compliance"] }, { "title": "Hardware Security Module Integration: Key Management for Production Systems", "url": "/articles/cross-cutting/hsm-key-management/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/hsm-key-management/", "category": "cross-cutting", "tags": ["hsm","key-management","pkcs11","vault","cryptography"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "OAuth 2.0 and OIDC Implementation Hardening: PKCE, Token Rotation, and JWT Validation Pitfalls", "url": "/articles/cross-cutting/oauth2-oidc-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/oauth2-oidc-hardening/", "category": "cross-cutting", "tags": ["oauth2","oidc","jwt","pkce","authentication"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "Production Access Management with Teleport and Boundary: Brokered, Recorded, Auditable Access", "url": "/articles/cross-cutting/production-access-management/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/production-access-management/", "category": "cross-cutting", "tags": ["teleport","boundary","production-access","session-recording","zero-trust"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Tabletop Exercises and Chaos Security Drills: Building, Running, and Acting on Findings", "url": "/articles/cross-cutting/tabletop-exercises/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/tabletop-exercises/", "category": "cross-cutting", "tags": ["tabletop","chaos-engineering","purple-team","incident-response","exercises"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","sre","engineering-manager"] }, { "title": "cert-manager PKI Hardening: Intermediate CAs, Short-Lived Certificates, and Trust Chain Design", "url": "/articles/kubernetes/cert-manager-pki-hardening/", "full_url": "https://www.systemshardening.com/articles/kubernetes/cert-manager-pki-hardening/", "category": "kubernetes", "tags": ["cert-manager","pki","tls","certificates","kubernetes"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "CSI Driver Security: Volume-Mount Hardening, Privileged Drivers, and Inline Ephemeral Volumes", "url": "/articles/kubernetes/csi-driver-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/csi-driver-security/", "category": "kubernetes", "tags": ["csi","kubernetes","storage","volumes","privileged"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "External Secrets Operator: Pulling Secrets from KMS, Vault, and Cloud Stores into Kubernetes", "url": "/articles/kubernetes/external-secrets-operator/", "full_url": "https://www.systemshardening.com/articles/kubernetes/external-secrets-operator/", "category": "kubernetes", "tags": ["external-secrets-operator","vault","kms","secrets","kubernetes"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Native Sidecar Containers in Kubernetes 1.29+: Lifecycle, Security, and Mesh Migration", "url": "/articles/kubernetes/native-sidecar-containers/", "full_url": "https://www.systemshardening.com/articles/kubernetes/native-sidecar-containers/", "category": "kubernetes", "tags": ["kubernetes","sidecar","service-mesh","init-containers","lifecycle"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Kubernetes RuntimeClass: gVisor and Kata Containers for Production Workload Isolation", "url": "/articles/kubernetes/runtimeclass-gvisor-kata/", "full_url": "https://www.systemshardening.com/articles/kubernetes/runtimeclass-gvisor-kata/", "category": "kubernetes", "tags": ["runtimeclass","gvisor","kata-containers","sandboxing","isolation"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "dm-verity and dm-integrity: Tamper-Evident Block-Level Roots for Production Linux", "url": "/articles/linux/dm-verity/", "full_url": "https://www.systemshardening.com/articles/linux/dm-verity/", "category": "linux", "tags": ["dm-verity","dm-integrity","linux","immutable","boot-integrity"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "eBPF-LSM (lsm_bpf): Kernel Security Policy as Hot-Loadable BPF Programs", "url": "/articles/linux/ebpf-lsm/", "full_url": "https://www.systemshardening.com/articles/linux/ebpf-lsm/", "category": "linux", "tags": ["ebpf","lsm","linux","security","kernel","cloud-native"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Linux Capability Hardening: Dropping Privileges from Daemons and Services", "url": "/articles/linux/linux-capability-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/linux-capability-hardening/", "category": "linux", "tags": ["capabilities","linux","systemd","privilege","hardening"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "Linux IMA/EVM: Kernel-Level File Integrity Measurement and Appraisal", "url": "/articles/linux/linux-ima-evm/", "full_url": "https://www.systemshardening.com/articles/linux/linux-ima-evm/", "category": "linux", "tags": ["ima","evm","integrity","kernel","supply-chain"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "USBGuard: USB Device Authorization on Production Linux Hosts", "url": "/articles/linux/usbguard/", "full_url": "https://www.systemshardening.com/articles/linux/usbguard/", "category": "linux", "tags": ["usbguard","usb","linux","device-control","badusb"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "BGP Security and RPKI: Route Origin Validation for Production Networks", "url": "/articles/network/bgp-security-rpki/", "full_url": "https://www.systemshardening.com/articles/network/bgp-security-rpki/", "category": "network", "tags": ["bgp","rpki","routing","network-security","rov"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","systems-engineer"] }, { "title": "Envoy Proxy Security Hardening: Filter Chains, ext_authz, and Access Log Integrity", "url": "/articles/network/envoy-security-hardening/", "full_url": "https://www.systemshardening.com/articles/network/envoy-security-hardening/", "category": "network", "tags": ["envoy","proxy","ext-authz","filter-chain","security"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "HAProxy Production Hardening: Beyond TLS, Request Filtering, ACLs, and Logging Hygiene", "url": "/articles/network/haproxy-hardening/", "full_url": "https://www.systemshardening.com/articles/network/haproxy-hardening/", "category": "network", "tags": ["haproxy","tls","load-balancer","acl","network-security"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Service Mesh Egress Gateway Patterns: Bounded Outbound Traffic in Istio Clusters", "url": "/articles/network/istio-egress-gateway/", "full_url": "https://www.systemshardening.com/articles/network/istio-egress-gateway/", "category": "network", "tags": ["istio","egress","service-mesh","kubernetes","network-policy"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "WireGuard Mesh for Internal Zero-Trust Networking: wg-quick, Tailscale, Netbird Compared", "url": "/articles/network/wireguard-mesh/", "full_url": "https://www.systemshardening.com/articles/network/wireguard-mesh/", "category": "network", "tags": ["wireguard","tailscale","netbird","zero-trust","vpn"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Alert Deduplication and Correlation Patterns: Beating Alert Fatigue at Scale", "url": "/articles/observability/alert-correlation/", "full_url": "https://www.systemshardening.com/articles/observability/alert-correlation/", "category": "observability", "tags": ["alerting","deduplication","correlation","soar","incident-response"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","sre","soc-analyst"] }, { "title": "Forensic Readiness: Log Retention, Capture, and Chain of Custody for Incident Response", "url": "/articles/observability/forensic-readiness/", "full_url": "https://www.systemshardening.com/articles/observability/forensic-readiness/", "category": "observability", "tags": ["forensic-readiness","incident-response","logging","retention","audit"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","soc-analyst","compliance"] }, { "title": "Honeypot and Deception Technology in Kubernetes: Canary Tokens, Fake Credentials, and Honeypod Pods", "url": "/articles/observability/honeypot-deception-kubernetes/", "full_url": "https://www.systemshardening.com/articles/observability/honeypot-deception-kubernetes/", "category": "observability", "tags": ["honeypot","deception","canary-tokens","kubernetes","detection"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "Security SLOs and Error Budgets: SRE Discipline Applied to Detection and Response", "url": "/articles/observability/security-slos/", "full_url": "https://www.systemshardening.com/articles/observability/security-slos/", "category": "observability", "tags": ["slo","sre","metrics","detection","incident-response"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","sre","engineering-manager"] }, { "title": "Threat Hunting with Osquery: Fleet Queries, Detection Packs, and IOC Sweeps", "url": "/articles/observability/threat-hunting-osquery/", "full_url": "https://www.systemshardening.com/articles/observability/threat-hunting-osquery/", "category": "observability", "tags": ["osquery","threat-hunting","detection","fleet","ioc"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "Spin Framework Security: Component Isolation, Triggers, and Secret Management", "url": "/articles/wasm/spin-framework-security/", "full_url": "https://www.systemshardening.com/articles/wasm/spin-framework-security/", "category": "wasm", "tags": ["spin","fermyon","wasm","serverless","component-model"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "WASM Cold-Start Optimization for Security Workloads: Pre-Compilation, Snapshots, and AOT", "url": "/articles/wasm/wasm-cold-start/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-cold-start/", "category": "wasm", "tags": ["wasm","cold-start","performance","wasmtime","ahead-of-time"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "WASM in IoT and Embedded Production: wasmEdge, wasm3, WAMR, and OTA Update Security", "url": "/articles/wasm/wasm-iot-embedded/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-iot-embedded/", "category": "wasm", "tags": ["wasm","iot","embedded","wasmedge","ota","wamr"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "WASM Plugin Architecture Threat Modeling: Trust Boundaries, Host-API Exposure, and Supply Chain", "url": "/articles/wasm/wasm-plugin-threat-modeling/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-plugin-threat-modeling/", "category": "wasm", "tags": ["wasm","threat-modeling","plugin-architecture","security-design"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "WASM Threads and Shared Memory Security: SharedArrayBuffer, Atomics, and Spectre Mitigations", "url": "/articles/wasm/wasm-threads-shared-memory/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-threads-shared-memory/", "category": "wasm", "tags": ["wasm","threads","shared-memory","spectre","security"], "difficulty": "advanced", "reading_time_minutes": 13, "date": "2026-04-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "C2PA Content Credentials: Cryptographic Provenance for AI-Generated Media in Production", "url": "/articles/ai-landscape/c2pa-content-credentials/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/c2pa-content-credentials/", "category": "ai-landscape", "tags": ["c2pa","content-credentials","deepfake","provenance","ai-safety"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-04-27T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","trust-and-safety"] }, { "title": "MCP Authentication Patterns: OAuth 2.1, Capability Tokens, and Per-Tool Authorization", "url": "/articles/ai-landscape/mcp-authentication/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/mcp-authentication/", "category": "ai-landscape", "tags": ["mcp","authentication","oauth","agents","ai-security"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "Prompt Cache Security: Side-Channels, Poisoning, and Tenant Isolation in LLM Provider Caches", "url": "/articles/ai-landscape/prompt-cache-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/prompt-cache-security/", "category": "ai-landscape", "tags": ["prompt-cache","llm","side-channel","ai-security","anthropic","openai"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "Ephemeral CI Runners with Firecracker and Kata: VM-Level Isolation for Build Jobs", "url": "/articles/cicd/firecracker-kata-ci-runners/", "full_url": "https://www.systemshardening.com/articles/cicd/firecracker-kata-ci-runners/", "category": "cicd", "tags": ["cicd","firecracker","kata","runners","isolation"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","devops"] }, { "title": "OIDC Federation Hardening: Locking Down CI-to-Cloud Trust Policies", "url": "/articles/cicd/oidc-federation-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/oidc-federation-hardening/", "category": "cicd", "tags": ["oidc","github-actions","aws","iam","federation","supply-chain"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","devops"] }, { "title": "Branch Protection and Repository Policy as Code: Terraform GitHub for Hundreds of Repos", "url": "/articles/cicd/repo-policy-as-code/", "full_url": "https://www.systemshardening.com/articles/cicd/repo-policy-as-code/", "category": "cicd", "tags": ["github","terraform","branch-protection","policy-as-code","scm"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","devops"] }, { "title": "Secrets Rotation Orchestration: Coordinating Vault, KMS, OIDC, and Database Credentials", "url": "/articles/cross-cutting/secrets-rotation-orchestration/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/secrets-rotation-orchestration/", "category": "cross-cutting", "tags": ["secrets-rotation","vault","kms","operations","production"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "SPIFFE and SPIRE for Workload Identity Across Clusters and Clouds", "url": "/articles/cross-cutting/spiffe-spire-workload-identity/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/spiffe-spire-workload-identity/", "category": "cross-cutting", "tags": ["spiffe","spire","workload-identity","zero-trust","mtls"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Threat Modeling at Scale: STRIDE-per-Component, PASTA, and Continuous Threat Modeling", "url": "/articles/cross-cutting/threat-modeling-at-scale/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/threat-modeling-at-scale/", "category": "cross-cutting", "tags": ["threat-modeling","stride","pasta","security-design","continuous"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-04-27T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","engineering-manager"] }, { "title": "Confidential Containers on Kubernetes: AMD SEV-SNP, Intel TDX, and the Attestation Flow", "url": "/articles/kubernetes/confidential-containers/", "full_url": "https://www.systemshardening.com/articles/kubernetes/confidential-containers/", "category": "kubernetes", "tags": ["kubernetes","confidential-computing","kata","sev-snp","tdx","attestation"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","compliance"] }, { "title": "User Namespaces for Pods: UID Remapping, Container Escape Defense, and the GA Path in Kubernetes 1.30+", "url": "/articles/kubernetes/user-namespaces-pods/", "full_url": "https://www.systemshardening.com/articles/kubernetes/user-namespaces-pods/", "category": "kubernetes", "tags": ["kubernetes","user-namespaces","userns","container-escape","isolation"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "ValidatingAdmissionPolicy with CEL: Native Kubernetes Admission Without Webhooks", "url": "/articles/kubernetes/validating-admission-policy-cel/", "full_url": "https://www.systemshardening.com/articles/kubernetes/validating-admission-policy-cel/", "category": "kubernetes", "tags": ["kubernetes","admission-control","cel","vap","policy"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "FIDO2 SSH with sk-* Keys: Hardware-Backed Authentication for Production Hosts", "url": "/articles/linux/fido2-ssh/", "full_url": "https://www.systemshardening.com/articles/linux/fido2-ssh/", "category": "linux", "tags": ["ssh","fido2","yubikey","passkey","openssh","linux"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-27T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Kernel Lockdown Mode: Blocking Root from Modifying the Running Kernel", "url": "/articles/linux/kernel-lockdown/", "full_url": "https://www.systemshardening.com/articles/linux/kernel-lockdown/", "category": "linux", "tags": ["kernel-lockdown","secure-boot","linux","kernel","hardening"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "Landlock LSM: Unprivileged Kernel Sandboxing for Production Linux Applications", "url": "/articles/linux/landlock-lsm/", "full_url": "https://www.systemshardening.com/articles/linux/landlock-lsm/", "category": "linux", "tags": ["landlock","lsm","sandboxing","kernel","linux","application-security"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-27T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","platform-engineer"] }, { "title": "eBPF-XDP for L4 DDoS Mitigation: Line-Rate Drop in the Kernel", "url": "/articles/network/ebpf-xdp-ddos/", "full_url": "https://www.systemshardening.com/articles/network/ebpf-xdp-ddos/", "category": "network", "tags": ["ebpf","xdp","ddos","linux","network-security"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Encrypted Client Hello (ECH) Deployment on NGINX, Cloudflare, and Internal Edges", "url": "/articles/network/encrypted-client-hello/", "full_url": "https://www.systemshardening.com/articles/network/encrypted-client-hello/", "category": "network", "tags": ["ech","tls","nginx","cloudflare","sni","privacy"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "HTTP/2 RST and CONTINUATION Flood Mitigation: CVE-2023-44487, CVE-2024-27316, and Beyond", "url": "/articles/network/http2-flood-mitigation/", "full_url": "https://www.systemshardening.com/articles/network/http2-flood-mitigation/", "category": "network", "tags": ["http2","ddos","nginx","envoy","rst-flood","continuation-flood"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Detection Engineering Metrics: MTTD, MTTR, Signal-to-Noise, and Coverage Tracking", "url": "/articles/observability/detection-engineering-metrics/", "full_url": "https://www.systemshardening.com/articles/observability/detection-engineering-metrics/", "category": "observability", "tags": ["detection-engineering","mttd","mttr","metrics","soc"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["security-engineer","soc-analyst","sre"] }, { "title": "OpenTelemetry PII Leakage: Stopping Sensitive Data in Span Attributes, Baggage, and Logs", "url": "/articles/observability/otel-pii-leakage/", "full_url": "https://www.systemshardening.com/articles/observability/otel-pii-leakage/", "category": "observability", "tags": ["opentelemetry","pii","redaction","tracing","baggage","compliance"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["sre","security-engineer","platform-engineer"] }, { "title": "SIEM Cost Optimization: Cardinality, Retention, Sampling, and Index-Tier Strategy", "url": "/articles/observability/siem-cost-optimization/", "full_url": "https://www.systemshardening.com/articles/observability/siem-cost-optimization/", "category": "observability", "tags": ["siem","splunk","elastic","cost-optimization","observability"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["security-engineer","sre","soc-analyst"] }, { "title": "Edge Runtime WASM Hardening: Cloudflare Workers, Fastly Compute, and Multi-Tenant Isolation", "url": "/articles/wasm/edge-wasm-hardening/", "full_url": "https://www.systemshardening.com/articles/wasm/edge-wasm-hardening/", "category": "wasm", "tags": ["edge","cloudflare-workers","fastly","wasm","multi-tenancy"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "Envoy and Istio WASM Plugin Hardening: Resource Limits, ABI Selection, and Distribution", "url": "/articles/wasm/envoy-wasm-plugin-hardening/", "full_url": "https://www.systemshardening.com/articles/wasm/envoy-wasm-plugin-hardening/", "category": "wasm", "tags": ["envoy","istio","wasm","service-mesh","plugins"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "NGINX WASM Filters with ngx_wasm_module: Request-Path Plugins, Resource Caps, and Distribution", "url": "/articles/wasm/nginx-wasm-filters/", "full_url": "https://www.systemshardening.com/articles/wasm/nginx-wasm-filters/", "category": "wasm", "tags": ["nginx","wasm","ngx_wasm_module","proxy-wasm","plugins"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "Reproducible WASM Builds and SBOM Generation: Deterministic Compilation, CycloneDX, In-Toto Attestations", "url": "/articles/wasm/reproducible-wasm-builds/", "full_url": "https://www.systemshardening.com/articles/wasm/reproducible-wasm-builds/", "category": "wasm", "tags": ["wasm","reproducible-builds","sbom","cyclonedx","supply-chain"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-27T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","devops"] }, { "title": "WASI HTTP Server Hardening: Production Patterns for wasi:http/incoming-handler", "url": "/articles/wasm/wasi-http-server-hardening/", "full_url": "https://www.systemshardening.com/articles/wasm/wasi-http-server-hardening/", "category": "wasm", "tags": ["wasi","http","wasm","spin","wasmcloud","fastly"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "WASI Preview 2 Capability-Based Security: filesystem, sockets, http, and the Component Model", "url": "/articles/wasm/wasi-preview-2-capabilities/", "full_url": "https://www.systemshardening.com/articles/wasm/wasi-preview-2-capabilities/", "category": "wasm", "tags": ["wasi","preview-2","component-model","capabilities","wasm"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "WASI Sockets API Hardening: TCP, UDP, and TLS Capability Scoping for Network-Bound WASM", "url": "/articles/wasm/wasi-sockets-hardening/", "full_url": "https://www.systemshardening.com/articles/wasm/wasi-sockets-hardening/", "category": "wasm", "tags": ["wasm","wasi","sockets","networking","capability-security"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "WASM AI Inference: Isolating ONNX Runtime Web, llama.cpp WASM, and On-Device Models", "url": "/articles/wasm/wasm-ai-inference/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-ai-inference/", "category": "wasm", "tags": ["wasm","ai","inference","onnx","llama-cpp","edge-ai"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["ml-engineer","platform-engineer","security-engineer"] }, { "title": "WASM Component Model Security Boundaries: Composition, Capability Passing, and Trust Decisions", "url": "/articles/wasm/wasm-component-model-security/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-component-model-security/", "category": "wasm", "tags": ["wasm","component-model","wit","composition","capabilities"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "WASM in Databases: pg_wasm, ClickHouse UDFs, SurrealDB Extensions", "url": "/articles/wasm/wasm-in-databases/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-in-databases/", "category": "wasm", "tags": ["wasm","postgres","clickhouse","surrealdb","database-extensions"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["dba","platform-engineer","security-engineer"] }, { "title": "WASM Multi-Tenancy Patterns: Resource Quotas, Fair Scheduling, and Tenant Isolation Failures", "url": "/articles/wasm/wasm-multi-tenancy/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-multi-tenancy/", "category": "wasm", "tags": ["wasm","multi-tenancy","isolation","scheduling","wasmtime"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ml-engineer"] }, { "title": "OCI WASM Module Signing and Verification: cosign, notation, and Admission-Time Enforcement", "url": "/articles/wasm/wasm-oci-signing/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-oci-signing/", "category": "wasm", "tags": ["wasm","oci","cosign","supply-chain","signing"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","devops"] }, { "title": "WASM Workloads on Kubernetes: runwasi, Spin, and the Threat Model Shift from OCI Containers", "url": "/articles/wasm/wasm-on-kubernetes/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-on-kubernetes/", "category": "wasm", "tags": ["wasm","kubernetes","runwasi","spin","wasmcloud","containerd"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "WASM Module Static Analysis and Vulnerability Scanning: wasm-tools, twiggy, and CVE Detection", "url": "/articles/wasm/wasm-static-analysis/", "full_url": "https://www.systemshardening.com/articles/wasm/wasm-static-analysis/", "category": "wasm", "tags": ["wasm","static-analysis","wasm-tools","twiggy","vulnerability-scanning"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","devops"] }, { "title": "Wasmtime Production Hardening: Fuel, Memory, Epoch Interrupts, and WASI Capability Allowlists", "url": "/articles/wasm/wasmtime-production-hardening/", "full_url": "https://www.systemshardening.com/articles/wasm/wasmtime-production-hardening/", "category": "wasm", "tags": ["wasmtime","wasi","sandboxing","wasm","rust"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","systems-engineer"] }, { "title": "Wazero Hardening for Go Embedders: Resource Limits, WASI Capabilities, and Plugin Isolation", "url": "/articles/wasm/wazero-hardening/", "full_url": "https://www.systemshardening.com/articles/wasm/wazero-hardening/", "category": "wasm", "tags": ["wazero","go","wasm","embedding","sandboxing"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-04-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","systems-engineer"] }, { "title": "Agent Memory Poisoning: Defending the Persistence Layer of Long-Running LLM Agents", "url": "/articles/ai-landscape/agent-memory-poisoning/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/agent-memory-poisoning/", "category": "ai-landscape", "tags": ["ai-agents","memory-poisoning","prompt-injection","vector-database","agentic-ai"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-04-24T00:00:00.000Z", "personas": ["security-engineer","ml-engineer","platform-engineer"] }, { "title": "CI/CD Pipeline Egress Control: Runner Network Isolation, Allowlists, and Supply-Chain Exfiltration Defense", "url": "/articles/cicd/pipeline-egress-control/", "full_url": "https://www.systemshardening.com/articles/cicd/pipeline-egress-control/", "category": "cicd", "tags": ["cicd","github-actions","egress","network-policy","supply-chain"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-04-24T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","devops"] }, { "title": "Post-Quantum Crypto Migration Plan: Hybrid TLS, SSH, Code Signing, and Encryption at Rest", "url": "/articles/cross-cutting/post-quantum-migration/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/post-quantum-migration/", "category": "cross-cutting", "tags": ["post-quantum","cryptography","tls","ssh","migration","pqc"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-04-24T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","compliance"] }, { "title": "Gateway API Security Patterns: Multi-Team Routing, ReferenceGrant, and Delegated Trust on Kubernetes", "url": "/articles/kubernetes/gateway-api-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/gateway-api-security/", "category": "kubernetes", "tags": ["kubernetes","gateway-api","ingress","network-security","multi-tenancy"], "difficulty": "intermediate", "reading_time_minutes": 17, "date": "2026-04-24T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","sre"] }, { "title": "io_uring Security and Hardening: Disabling, Restricting, and Auditing a Bypass-Prone Syscall Interface", "url": "/articles/linux/io-uring-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/io-uring-hardening/", "category": "linux", "tags": ["io_uring","kernel","seccomp","sandboxing","linux","container-security"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-24T00:00:00.000Z", "personas": ["systems-engineer","platform-engineer","security-engineer"] }, { "title": "HTTP/3 and QUIC Production Hardening: UDP Amplification, 0-RTT Replay, and Connection ID Privacy", "url": "/articles/network/http3-quic-hardening/", "full_url": "https://www.systemshardening.com/articles/network/http3-quic-hardening/", "category": "network", "tags": ["quic","http3","tls","udp","ddos","nginx","envoy"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-04-24T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer"] }, { "title": "Detection-as-Code with Sigma: Versioned, Tested, Vendor-Neutral SIEM Rules", "url": "/articles/observability/detection-as-code-sigma/", "full_url": "https://www.systemshardening.com/articles/observability/detection-as-code-sigma/", "category": "observability", "tags": ["detection","sigma","siem","detection-as-code","splunk","elastic"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-04-24T00:00:00.000Z", "personas": ["security-engineer","sre","soc-analyst"] }, { "title": "AI-Adaptive Malware: How Modern Payloads Change Behaviour Based on Their Environment and How to Defend Against Them", "url": "/articles/ai-landscape/ai-adaptive-malware-defence/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-adaptive-malware-defence/", "category": "ai-landscape", "tags": ["ai-security","malware","adaptive-payloads","polymorphic","edr","ebpf","tetragon","canary-tokens","deception","immutable-infrastructure"], "difficulty": "advanced", "reading_time_minutes": 26, "date": "2026-04-23T00:00:00.000Z", "personas": ["security-engineer","sre","systems-engineer"] }, { "title": "Running AI-Powered Security Assessments on Your Own Infrastructure: Using Frontier Models Before Attackers Do", "url": "/articles/ai-landscape/ai-powered-security-assessments/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-powered-security-assessments/", "category": "ai-landscape", "tags": ["ai-security","mythos","security-assessment","code-review","iac-review","audit","semgrep","claude"], "difficulty": "advanced", "reading_time_minutes": 24, "date": "2026-04-23T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","devops-engineer"] }, { "title": "Defending Against AI-Amplified Social Engineering: Phishing, Voice Cloning, and Deepfake Impersonation", "url": "/articles/ai-landscape/ai-social-engineering-defence/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-social-engineering-defence/", "category": "ai-landscape", "tags": ["ai-security","phishing","deepfakes","voice-cloning","social-engineering","fido2","webauthn","dmarc","email-security"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-04-23T00:00:00.000Z", "personas": ["security-engineer","systems-engineer","sre"] }, { "title": "Mythos and the Vulnerability Classes AI Finds First: Eliminating Your Highest-Risk Attack Surface", "url": "/articles/ai-landscape/mythos-proactive-attack-surface-reduction/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/mythos-proactive-attack-surface-reduction/", "category": "ai-landscape", "tags": ["ai-security","mythos","attack-surface","hardening","secrets-management","network-policy","opa","gatekeeper"], "difficulty": "advanced", "reading_time_minutes": 22, "date": "2026-04-23T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Software Supply Chain and Third-Party Exposure: Defending Against Upstream Compromise", "url": "/articles/cicd/software-supply-chain-third-party-risk/", "full_url": "https://www.systemshardening.com/articles/cicd/software-supply-chain-third-party-risk/", "category": "cicd", "tags": ["supply-chain","third-party-risk","dependencies","sbom","slsa","sigstore","vendor-security","dependency-pinning"], "difficulty": "advanced", "reading_time_minutes": 24, "date": "2026-04-23T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer"] }, { "title": "Identity Abuse and Credential Compromise: Defending Against Attackers Who Log In Instead of Break In", "url": "/articles/cross-cutting/identity-abuse-credential-compromise/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/identity-abuse-credential-compromise/", "category": "cross-cutting", "tags": ["identity","credentials","session-tokens","mfa-bypass","zero-trust","lateral-movement","authentication","sso"], "difficulty": "advanced", "reading_time_minutes": 24, "date": "2026-04-23T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "Ransomware 3.0 and Multi-Stage Extortion: Defence, Detection, and Recovery", "url": "/articles/cross-cutting/ransomware-multi-extortion-defence/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/ransomware-multi-extortion-defence/", "category": "cross-cutting", "tags": ["ransomware","extortion","backup","immutable-backups","incident-response","data-exfiltration","encryption","recovery"], "difficulty": "advanced", "reading_time_minutes": 26, "date": "2026-04-23T00:00:00.000Z", "personas": ["security-engineer","sre","systems-engineer","platform-engineer"] }, { "title": "LLMs on Kubernetes: Understanding the Threat Model and Deploying an LLM Gateway", "url": "/articles/kubernetes/llm-kubernetes-threat-model/", "full_url": "https://www.systemshardening.com/articles/kubernetes/llm-kubernetes-threat-model/", "category": "kubernetes", "tags": ["llm","threat-model","owasp","ollama","llm-gateway","litellm","prompt-injection","ai-security","kubernetes"], "difficulty": "advanced", "reading_time_minutes": 26, "date": "2026-04-23T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ai-ml-engineer"] }, { "title": "Secure Cloud VM Access: SSH Key Authentication, Two-Factor Login, VPN, and Audit Logging", "url": "/articles/linux/secure-cloud-vm-access/", "full_url": "https://www.systemshardening.com/articles/linux/secure-cloud-vm-access/", "category": "linux", "tags": ["ssh","2fa","totp","wireguard","vpn","audit-logging","cloud","authentication","google-authenticator"], "difficulty": "intermediate", "reading_time_minutes": 24, "date": "2026-04-23T00:00:00.000Z", "personas": ["systems-engineer","security-engineer","devops-engineer"] }, { "title": "DDoS Megascale Operations: Defending Against AI-Orchestrated Terabit Attacks and Botnet Smokescreens", "url": "/articles/network/ddos-megascale-defence/", "full_url": "https://www.systemshardening.com/articles/network/ddos-megascale-defence/", "category": "network", "tags": ["ddos","botnet","iot","rate-limiting","edge-defence","cloudflare","nginx","nftables","smokescreen"], "difficulty": "advanced", "reading_time_minutes": 24, "date": "2026-04-23T00:00:00.000Z", "personas": ["security-engineer","sre","systems-engineer","platform-engineer"] }, { "title": "Secret Management in CI/CD Pipelines: Vault, SOPS, and OIDC Federation", "url": "/articles/cicd/cicd-secret-management/", "full_url": "https://www.systemshardening.com/articles/cicd/cicd-secret-management/", "category": "cicd", "tags": ["secrets","vault","sops","oidc","cicd","supply-chain"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-04-21T00:00:00.000Z", "personas": ["devops-engineer","platform-engineer"] }, { "title": "IPv6 Security in Production: Hardening Dual-Stack Deployments", "url": "/articles/network/ipv6-security/", "full_url": "https://www.systemshardening.com/articles/network/ipv6-security/", "category": "network", "tags": ["ipv6","dual-stack","nftables","ndp","firewall","kubernetes","network-security"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-04-21T00:00:00.000Z", "personas": ["systems-engineer","security-engineer"] }, { "title": "Software Bill of Materials (SBOM) Generation and Consumption in CI/CD", "url": "/articles/cicd/sbom/", "full_url": "https://www.systemshardening.com/articles/cicd/sbom/", "category": "cicd", "tags": ["sbom","syft","grype","supply-chain","vulnerability","compliance"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-19T00:00:00.000Z", "personas": ["devops-engineer","security-engineer"] }, { "title": "Training Data Extraction Prevention: Stopping Models from Leaking Memorised Data", "url": "/articles/ai-landscape/training-data-extraction/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/training-data-extraction/", "category": "ai-landscape", "tags": ["training-data","data-extraction","memorisation","differential-privacy","canary-tokens","llm-security"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-16T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer"] }, { "title": "SSH Hardening Beyond the Basics: Certificate Authentication, Jump Hosts, and Logging", "url": "/articles/linux/ssh-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/ssh-hardening/", "category": "linux", "tags": ["ssh","certificates","hardening","bastion","session-recording","authentication"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-04-16T00:00:00.000Z", "personas": ["systems-engineer","security-engineer"] }, { "title": "Kubernetes Node Hardening: From OS Configuration to kubelet Lockdown", "url": "/articles/kubernetes/node-hardening/", "full_url": "https://www.systemshardening.com/articles/kubernetes/node-hardening/", "category": "kubernetes", "tags": ["kubernetes","node-security","kubelet","containerd","os-hardening","kernel"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-04-15T00:00:00.000Z", "personas": ["platform-engineer","systems-engineer"] }, { "title": "Security Dashboards That Engineers Actually Use: Grafana Designs for Hardening Verification", "url": "/articles/observability/security-dashboards/", "full_url": "https://www.systemshardening.com/articles/observability/security-dashboards/", "category": "observability", "tags": ["grafana","dashboards","security-monitoring","visualization","sli"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-13T00:00:00.000Z", "personas": ["sre","security-engineer"] }, { "title": "Model Extraction Prevention: Detecting and Blocking Model Stealing Through API Queries", "url": "/articles/ai-landscape/model-extraction-prevention/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/model-extraction-prevention/", "category": "ai-landscape", "tags": ["model-extraction","model-stealing","api-security","rate-limiting","watermarking"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-12T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer"] }, { "title": "GPU Workload Isolation: MIG, MPS, and vGPU Security Boundaries", "url": "/articles/kubernetes/gpu-isolation/", "full_url": "https://www.systemshardening.com/articles/kubernetes/gpu-isolation/", "category": "kubernetes", "tags": ["gpu","nvidia","mig","isolation","multi-tenant","ai"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-12T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer"] }, { "title": "gRPC API Gateway Patterns: Authentication, Rate Limiting, and Request Validation at the Edge", "url": "/articles/network/grpc-api-gateway-patterns/", "full_url": "https://www.systemshardening.com/articles/network/grpc-api-gateway-patterns/", "category": "network", "tags": ["grpc","api-gateway","envoy","rate-limiting","grpc-web","authentication"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-04-12T00:00:00.000Z", "personas": ["platform-engineer","devops-engineer"] }, { "title": "Securing AI Agents in Production: Tool-Use Boundaries, Credential Scoping, and Output Verification", "url": "/articles/ai-landscape/securing-ai-agents/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/securing-ai-agents/", "category": "ai-landscape", "tags": ["ai-agents","security","rbac","vault","credential-scoping","guardrails"], "difficulty": "advanced", "reading_time_minutes": 20, "date": "2026-04-11T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer","platform-engineer"] }, { "title": "Hardening DNS Resolution on Linux: systemd-resolved, Unbound, and DNS-over-TLS", "url": "/articles/linux/dns-resolution-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/dns-resolution-hardening/", "category": "linux", "tags": ["dns","systemd-resolved","unbound","dns-over-tls","dnssec","linux"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-04-11T00:00:00.000Z", "personas": ["systems-engineer","sre"] }, { "title": "The Hardening Scorecard: Measuring and Tracking Security Posture", "url": "/articles/cross-cutting/hardening-scorecard/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/hardening-scorecard/", "category": "cross-cutting", "tags": ["metrics","scorecard","cis-benchmark","compliance","grafana","security-posture"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-10T00:00:00.000Z", "personas": ["security-engineer","sre"] }, { "title": "NGINX Hardening Beyond TLS: Request Filtering, Buffer Limits, and Connection Controls", "url": "/articles/network/nginx-hardening-beyond-tls/", "full_url": "https://www.systemshardening.com/articles/network/nginx-hardening-beyond-tls/", "category": "network", "tags": ["nginx","hardening","reverse-proxy","rate-limiting","request-filtering","security-headers"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-04-10T00:00:00.000Z", "personas": ["systems-engineer","platform-engineer"] }, { "title": "OpenTelemetry for Security: Distributed Tracing of Authentication and Authorization Flows", "url": "/articles/observability/otel-security-tracing/", "full_url": "https://www.systemshardening.com/articles/observability/otel-security-tracing/", "category": "observability", "tags": ["opentelemetry","tracing","authentication","security-monitoring","observability"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-09T00:00:00.000Z", "personas": ["sre","security-engineer"] }, { "title": "Building an AI Governance Pipeline: Automated Checks from Training to Production", "url": "/articles/ai-landscape/ai-governance-pipeline/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-governance-pipeline/", "category": "ai-landscape", "tags": ["ai-governance","governance-as-code","ml-pipeline","compliance-automation","model-approval"], "difficulty": "advanced", "reading_time_minutes": 19, "date": "2026-04-08T00:00:00.000Z", "personas": ["platform-engineer","ai-ml-engineer","compliance-lead"] }, { "title": "Hardening the Linux Kernel Attack Surface with sysctl and Boot Parameters", "url": "/articles/linux/sysctl-kernel-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/sysctl-kernel-hardening/", "category": "linux", "tags": ["sysctl","kernel","hardening","linux","network-stack","memory-protection"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-04-08T00:00:00.000Z", "personas": ["systems-engineer","sre"] }, { "title": "OpenTelemetry Collector Pipelines: Securing Receivers, Processors, and Exporters", "url": "/articles/observability/otel-collector-pipelines/", "full_url": "https://www.systemshardening.com/articles/observability/otel-collector-pipelines/", "category": "observability", "tags": ["opentelemetry","otel-collector","receivers","exporters","processors","pipelines"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-04-08T00:00:00.000Z", "personas": ["sre","platform-engineer","security-engineer"] }, { "title": "GPU Cost and Security Monitoring: Detecting Abuse and Optimising Spend", "url": "/articles/kubernetes/gpu-cost-security-monitoring/", "full_url": "https://www.systemshardening.com/articles/kubernetes/gpu-cost-security-monitoring/", "category": "kubernetes", "tags": ["gpu","monitoring","prometheus","dcgm","cost","crypto-mining"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-04-06T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer","sre"] }, { "title": "Rate Limiting at the Ingress Layer: NGINX, Envoy, and Cloud Load Balancers Compared", "url": "/articles/network/rate-limiting-ingress/", "full_url": "https://www.systemshardening.com/articles/network/rate-limiting-ingress/", "category": "network", "tags": ["rate-limiting","nginx","envoy","ingress","load-balancer","api-security"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-04-06T00:00:00.000Z", "personas": ["platform-engineer","sre"] }, { "title": "Protecting Internal APIs: Network Segmentation, Authentication, and Access Logging", "url": "/articles/network/internal-api-protection/", "full_url": "https://www.systemshardening.com/articles/network/internal-api-protection/", "category": "network", "tags": ["internal-api","zero-trust","network-policy","mtls","kubernetes","service-mesh","access-logging"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-04-05T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "AI Supply Chain Attack Surface: Models, Datasets, and Inference Dependencies", "url": "/articles/ai-landscape/ai-supply-chain-attack-surface/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-supply-chain-attack-surface/", "category": "ai-landscape", "tags": ["ai-security","supply-chain","model-poisoning","sbom","dependency-scanning","cosign"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-04-04T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer","devops-engineer"] }, { "title": "EU AI Act Compliance for Infrastructure Teams: Risk Classification, Documentation, and Technical Controls", "url": "/articles/ai-landscape/eu-ai-act-compliance/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/eu-ai-act-compliance/", "category": "ai-landscape", "tags": ["eu-ai-act","compliance","risk-classification","ai-governance","technical-documentation"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-04-03T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","compliance-lead"] }, { "title": "LLM Rate Limiting in Production: Token Budgets, Per-User Quotas, and Abuse Detection", "url": "/articles/kubernetes/llm-rate-limiting/", "full_url": "https://www.systemshardening.com/articles/kubernetes/llm-rate-limiting/", "category": "kubernetes", "tags": ["ai","rate-limiting","tokens","redis","envoy","abuse-detection","kong"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-04-03T00:00:00.000Z", "personas": ["platform-engineer","ai-ml-engineer","devops-engineer"] }, { "title": "Terraform Security: State File Protection, Provider Pinning, and Plan Review Automation", "url": "/articles/cicd/terraform-security/", "full_url": "https://www.systemshardening.com/articles/cicd/terraform-security/", "category": "cicd", "tags": ["terraform","iac","state-file","security","opentofu","supply-chain"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-04-02T00:00:00.000Z", "personas": ["devops-engineer","platform-engineer"] }, { "title": "Runtime Security with Falco on Kubernetes: Rules, Tuning, and Response Automation", "url": "/articles/kubernetes/falco-runtime-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/falco-runtime-security/", "category": "kubernetes", "tags": ["falco","runtime-security","ebpf","detection","kubernetes","falcosidekick"], "difficulty": "advanced", "reading_time_minutes": 22, "date": "2026-04-02T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Load Balancer Security: Health Check Abuse, Connection Draining, and TLS Termination", "url": "/articles/network/load-balancer-security/", "full_url": "https://www.systemshardening.com/articles/network/load-balancer-security/", "category": "network", "tags": ["load-balancer","haproxy","nginx","tls-termination","health-checks","x-forwarded-for","proxy-protocol"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-04-02T00:00:00.000Z", "personas": ["sre","platform-engineer"] }, { "title": "MCP Tool Permission Patterns: Least Privilege, Approval Workflows, and Scope Boundaries", "url": "/articles/ai-landscape/mcp-tool-permission-patterns/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/mcp-tool-permission-patterns/", "category": "ai-landscape", "tags": ["mcp","model-context-protocol","tool-permissions","least-privilege","approval-workflow","audit-logging","capability-tokens"], "difficulty": "advanced", "reading_time_minutes": 19, "date": "2026-04-01T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","ai-ml-engineer"] }, { "title": "Claude for Application Security: Finding Logic Vulnerabilities in Source Code", "url": "/articles/ai-landscape/claude-code-vulnerability/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/claude-code-vulnerability/", "category": "ai-landscape", "tags": ["claude","llm","application-security","code-review","sast","vulnerability","python","go"], "difficulty": "advanced", "reading_time_minutes": 22, "date": "2026-03-31T00:00:00.000Z", "personas": ["security-engineer","software-engineer","appsec-engineer","devops-engineer"] }, { "title": "API Gateway Security: Authentication, Authorization, and Request Validation", "url": "/articles/network/api-gateway-security/", "full_url": "https://www.systemshardening.com/articles/network/api-gateway-security/", "category": "network", "tags": ["api-gateway","jwt","oauth2","kong","apisix","envoy","request-validation","authentication"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-03-30T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Auditing AI Actions at Scale: Building Tamper-Proof Logs for Non-Human Actors", "url": "/articles/ai-landscape/auditing-ai-actions/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/auditing-ai-actions/", "category": "ai-landscape", "tags": ["ai-agents","audit-logging","opentelemetry","immutable-storage","forensics"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-03-29T00:00:00.000Z", "personas": ["security-engineer","sre","ai-ml-engineer"] }, { "title": "Container Registry Security: Access Control, Vulnerability Scanning, and Garbage Collection", "url": "/articles/cicd/container-registry-security/", "full_url": "https://www.systemshardening.com/articles/cicd/container-registry-security/", "category": "cicd", "tags": ["container-registry","harbor","vulnerability-scanning","trivy","image-signing"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-03-29T00:00:00.000Z", "personas": ["devops-engineer","platform-engineer"] }, { "title": "Kubernetes Network Policies That Actually Work: From Default Deny to Microsegmentation", "url": "/articles/kubernetes/kubernetes-network-policies/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-network-policies/", "category": "kubernetes", "tags": ["kubernetes","network-policy","cilium","calico","microsegmentation","cni"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-03-29T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Compliance-as-Code: Mapping CIS Benchmarks to Automated Checks with InSpec and Kube-bench", "url": "/articles/cross-cutting/compliance-as-code/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/compliance-as-code/", "category": "cross-cutting", "tags": ["compliance","cis","inspec","kube-bench","automation","soc2"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-03-28T00:00:00.000Z", "personas": ["security-engineer","devops-engineer"] }, { "title": "LLM Cost Controls: Budget Enforcement, Token Metering, and Spend Alerting", "url": "/articles/kubernetes/llm-cost-controls/", "full_url": "https://www.systemshardening.com/articles/kubernetes/llm-cost-controls/", "category": "kubernetes", "tags": ["ai","cost-controls","budgets","metering","grafana","prometheus","kubernetes"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-03-28T00:00:00.000Z", "personas": ["platform-engineer","ai-ml-engineer","devops-engineer","finops"] }, { "title": "Pipeline-as-Code Security: Preventing CI Configuration Tampering", "url": "/articles/cicd/pipeline-config-security/", "full_url": "https://www.systemshardening.com/articles/cicd/pipeline-config-security/", "category": "cicd", "tags": ["cicd","pipeline-security","github-actions","gitlab-ci","branch-protection"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-03-26T00:00:00.000Z", "personas": ["devops-engineer","security-engineer"] }, { "title": "Kubelet Security Configuration: Authentication, Authorization, and Read-Only Port", "url": "/articles/kubernetes/kubelet-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubelet-security/", "category": "kubernetes", "tags": ["kubernetes","kubelet","node-security","authentication","tls"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-03-26T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Hardening GRUB and the Boot Process: Secure Boot, Boot Passwords, and Tamper Detection", "url": "/articles/linux/grub-boot-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/grub-boot-hardening/", "category": "linux", "tags": ["grub","secure-boot","uefi","tpm","boot-hardening","linux"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-03-23T00:00:00.000Z", "personas": ["systems-engineer","security-engineer"] }, { "title": "MCP Transport Security: Securing stdio, SSE, and HTTP Channels for Model Context Protocol", "url": "/articles/ai-landscape/mcp-transport-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/mcp-transport-security/", "category": "ai-landscape", "tags": ["mcp","model-context-protocol","transport-security","tls","mtls","network-policy","reverse-proxy"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-03-22T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","ai-ml-engineer"] }, { "title": "Kubernetes RBAC Design Patterns: Least Privilege Without Paralysing Developers", "url": "/articles/kubernetes/rbac-design-patterns/", "full_url": "https://www.systemshardening.com/articles/kubernetes/rbac-design-patterns/", "category": "kubernetes", "tags": ["kubernetes","rbac","authorization","least-privilege","access-control"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-03-22T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Claude for Kubernetes Security Auditing: Finding Privilege Escalation Paths Scanners Cannot See", "url": "/articles/ai-landscape/claude-kubernetes-audit/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/claude-kubernetes-audit/", "category": "ai-landscape", "tags": ["claude","llm","kubernetes","rbac","security-audit","privilege-escalation","helm"], "difficulty": "advanced", "reading_time_minutes": 22, "date": "2026-03-21T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","devops-engineer","sre"] }, { "title": "Kubernetes Secrets Management: External Secrets Operator, Vault, and Sealed Secrets", "url": "/articles/kubernetes/secrets-management/", "full_url": "https://www.systemshardening.com/articles/kubernetes/secrets-management/", "category": "kubernetes", "tags": ["kubernetes","secrets","vault","external-secrets","sealed-secrets","gitops"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-03-21T00:00:00.000Z", "personas": ["platform-engineer","devops-engineer"] }, { "title": "LLM Jailbreak Defence: Detecting and Preventing System Prompt Bypasses in Production", "url": "/articles/ai-landscape/llm-jailbreak-defence/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-jailbreak-defence/", "category": "ai-landscape", "tags": ["jailbreak","llm-security","system-prompt","guardrails","content-safety"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-03-20T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer"] }, { "title": "AI Incident Forensics: Reconstructing What an AI System Did, Why, and What Data It Accessed", "url": "/articles/kubernetes/ai-incident-forensics/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ai-incident-forensics/", "category": "kubernetes", "tags": ["incident-forensics","ai-security","logging","audit-trail","trace-reconstruction"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-03-19T00:00:00.000Z", "personas": ["security-engineer","sre","ai-ml-engineer"] }, { "title": "TLS 1.3 Configuration for NGINX and Envoy: Ciphers, Certificates, and OCSP Stapling", "url": "/articles/network/tls-nginx-envoy/", "full_url": "https://www.systemshardening.com/articles/network/tls-nginx-envoy/", "category": "network", "tags": ["tls","nginx","envoy","certificates","cert-manager","ocsp"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-03-19T00:00:00.000Z", "personas": ["platform-engineer","sre"] }, { "title": "Verifying AI Agent Output: Deterministic Checks, Human-in-the-Loop Gates, and Rollback Safety", "url": "/articles/ai-landscape/ai-agent-output-verification/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-agent-output-verification/", "category": "ai-landscape", "tags": ["ai-agents","output-verification","dry-run","rollback","human-in-the-loop","validation"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-03-18T00:00:00.000Z", "personas": ["platform-engineer","sre","security-engineer","ai-ml-engineer"] }, { "title": "Hardening Helm Values: Schema Validation, Secret Injection, and Security Defaults", "url": "/articles/cicd/helm-values-hardening/", "full_url": "https://www.systemshardening.com/articles/cicd/helm-values-hardening/", "category": "cicd", "tags": ["helm","kubernetes","schema-validation","external-secrets","security-contexts"], "difficulty": "intermediate", "reading_time_minutes": 17, "date": "2026-03-18T00:00:00.000Z", "personas": ["devops-engineer","platform-engineer"] }, { "title": "Hardening Model Inference Endpoints: Authentication, Rate Limiting, and Input Validation", "url": "/articles/kubernetes/inference-endpoint-hardening/", "full_url": "https://www.systemshardening.com/articles/kubernetes/inference-endpoint-hardening/", "category": "kubernetes", "tags": ["ai","inference","rate-limiting","authentication","prompt-injection","gpu"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-03-18T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer"] }, { "title": "mTLS for Service-to-Service Communication: Istio, Linkerd, and DIY with cert-manager", "url": "/articles/network/mtls-service-mesh/", "full_url": "https://www.systemshardening.com/articles/network/mtls-service-mesh/", "category": "network", "tags": ["mtls","service-mesh","istio","linkerd","cert-manager","kubernetes","zero-trust"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-03-18T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Securing MCP Servers: Authentication, Tool Sandboxing, and Input Validation for Model Context Protocol", "url": "/articles/ai-landscape/mcp-server-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/mcp-server-security/", "category": "ai-landscape", "tags": ["mcp","model-context-protocol","tool-sandboxing","input-validation","prompt-injection"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-03-17T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer","platform-engineer"] }, { "title": "Securing CI/CD Runners: Isolation, Credential Scoping, and Ephemeral Environments", "url": "/articles/cicd/securing-cicd-runners/", "full_url": "https://www.systemshardening.com/articles/cicd/securing-cicd-runners/", "category": "cicd", "tags": ["cicd","runners","github-actions","oidc","ephemeral","supply-chain"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-03-14T00:00:00.000Z", "personas": ["devops-engineer","security-engineer"] }, { "title": "Hardening PostgreSQL for Production: Authentication, Encryption, Row-Level Security, and Audit Logging", "url": "/articles/cross-cutting/postgresql-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/postgresql-hardening/", "category": "cross-cutting", "tags": ["postgresql","database","tls","rls","pgaudit","authentication"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-03-13T00:00:00.000Z", "personas": ["systems-engineer","sre"] }, { "title": "Lateral Movement Detection: Network Patterns, Authentication Anomalies, and Alert Correlation", "url": "/articles/observability/lateral-movement-detection/", "full_url": "https://www.systemshardening.com/articles/observability/lateral-movement-detection/", "category": "observability", "tags": ["lateral-movement","cilium","hubble","network-monitoring","detection","kubernetes"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-03-13T00:00:00.000Z", "personas": ["security-engineer","sre"] }, { "title": "Hardening /proc and /sys: Restricting Kernel Information Disclosure", "url": "/articles/linux/proc-sys-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/proc-sys-hardening/", "category": "linux", "tags": ["proc","sysfs","hidepid","kernel","information-disclosure","hardening","linux"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-03-11T00:00:00.000Z", "personas": ["systems-engineer","security-engineer"] }, { "title": "Claude for Infrastructure-as-Code Security Review: Terraform, CloudFormation, and Pulumi", "url": "/articles/ai-landscape/claude-iac-review/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/claude-iac-review/", "category": "ai-landscape", "tags": ["claude","llm","iac","terraform","cloudformation","pulumi","security-review","infrastructure"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-03-10T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer","cloud-architect"] }, { "title": "LLM Prompt Security Patterns: System Prompt Protection, Input Sanitisation, and Context Isolation", "url": "/articles/ai-landscape/llm-prompt-security-patterns/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-prompt-security-patterns/", "category": "ai-landscape", "tags": ["llm-security","prompt-injection","system-prompt","input-sanitisation","context-isolation","multi-tenant"], "difficulty": "advanced", "reading_time_minutes": 19, "date": "2026-03-10T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer","application-developer"] }, { "title": "Kubernetes Admission Control: From PodSecurity Standards to Custom OPA/Kyverno Policies", "url": "/articles/kubernetes/kubernetes-admission-control/", "full_url": "https://www.systemshardening.com/articles/kubernetes/kubernetes-admission-control/", "category": "kubernetes", "tags": ["kubernetes","admission-control","kyverno","opa","gatekeeper","pod-security"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-03-10T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Algorithmic Auditing: Testing AI Systems for Bias, Fairness, and Safety Before Deployment", "url": "/articles/ai-landscape/algorithmic-auditing/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/algorithmic-auditing/", "category": "ai-landscape", "tags": ["algorithmic-auditing","bias-testing","fairness","red-teaming","model-safety"], "difficulty": "advanced", "reading_time_minutes": 19, "date": "2026-03-09T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer","compliance-lead"] }, { "title": "Hardening a Complete Kubernetes Platform: From Cluster Bootstrap to Production-Ready", "url": "/articles/cross-cutting/complete-kubernetes-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/complete-kubernetes-hardening/", "category": "cross-cutting", "tags": ["kubernetes","hardening","rbac","network-policy","admission-control","seccomp","falco","audit-logging"], "difficulty": "advanced", "reading_time_minutes": 35, "date": "2026-03-09T00:00:00.000Z", "personas": ["platform-engineer","devops-engineer"] }, { "title": "AI Data Leakage Prevention: Input Filtering, Output Scanning, and Audit Trails", "url": "/articles/kubernetes/ai-data-leakage-prevention/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ai-data-leakage-prevention/", "category": "kubernetes", "tags": ["ai","data-leakage","pii","compliance","output-filtering","audit"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-03-08T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer","security-engineer"] }, { "title": "Linux Audit Framework Deep Dive: auditd Rules, auditctl, and ausearch for Security Monitoring", "url": "/articles/linux/auditd-deep-dive/", "full_url": "https://www.systemshardening.com/articles/linux/auditd-deep-dive/", "category": "linux", "tags": ["auditd","audit","linux","monitoring","compliance","forensics"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-03-08T00:00:00.000Z", "personas": ["security-engineer","systems-engineer"] }, { "title": "Jupyter Notebook Security: Authentication, Isolation, and Data Protection", "url": "/articles/kubernetes/jupyter-notebook-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/jupyter-notebook-security/", "category": "kubernetes", "tags": ["ai","jupyter","jupyterhub","isolation","authentication","notebooks"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-03-06T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer"] }, { "title": "gRPC Load Balancing Security: Client-Side, Proxy, and Service Mesh Patterns", "url": "/articles/network/grpc-load-balancing-security/", "full_url": "https://www.systemshardening.com/articles/network/grpc-load-balancing-security/", "category": "network", "tags": ["grpc","load-balancing","envoy","kubernetes","xds","service-mesh"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-03-05T00:00:00.000Z", "personas": ["platform-engineer","devops-engineer"] }, { "title": "Security-Relevant Prometheus Metrics: What to Collect, How to Alert, When to Page", "url": "/articles/observability/prometheus-security-metrics/", "full_url": "https://www.systemshardening.com/articles/observability/prometheus-security-metrics/", "category": "observability", "tags": ["prometheus","alerting","security-metrics","grafana","sli","monitoring"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-03-05T00:00:00.000Z", "personas": ["sre","security-engineer"] }, { "title": "Claude, Mythos, and the Non-Human Infrastructure Consumer: Writing Hardening Guides for AI Agents", "url": "/articles/ai-landscape/claude-non-human-consumers/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/claude-non-human-consumers/", "category": "ai-landscape", "tags": ["ai-agents","claude","documentation","structured-content","infrastructure-as-code","llm"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-03-04T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer","ai-agent"] }, { "title": "Incident Response Hardening Playbook: From Detection to Post-Mortem", "url": "/articles/cross-cutting/incident-response-hardening-playbook/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/incident-response-hardening-playbook/", "category": "cross-cutting", "tags": ["incident-response","containment","forensics","post-mortem","hardening","falco"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-03-02T00:00:00.000Z", "personas": ["security-engineer","sre"] }, { "title": "Multi-Tenancy Hardening in Kubernetes: Namespace Isolation, Resource Quotas, and Network Boundaries", "url": "/articles/kubernetes/multi-tenancy-hardening/", "full_url": "https://www.systemshardening.com/articles/kubernetes/multi-tenancy-hardening/", "category": "kubernetes", "tags": ["kubernetes","multi-tenancy","namespaces","rbac","network-policy","resource-quotas"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-03-02T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "DNS Security for Production Infrastructure: DNSSEC, CAA Records, and Internal Resolution", "url": "/articles/network/dns-security-dnssec-caa/", "full_url": "https://www.systemshardening.com/articles/network/dns-security-dnssec-caa/", "category": "network", "tags": ["dns","dnssec","caa","unbound","coredns","dns-over-tls"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-03-02T00:00:00.000Z", "personas": ["systems-engineer","sre"] }, { "title": "Securing Helm Charts: Chart Signing, Value Injection, and Template Security", "url": "/articles/cicd/helm-chart-security/", "full_url": "https://www.systemshardening.com/articles/cicd/helm-chart-security/", "category": "cicd", "tags": ["helm","kubernetes","chart-signing","cosign","template-security"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-03-01T00:00:00.000Z", "personas": ["devops-engineer","platform-engineer"] }, { "title": "Building a Content Filtering Pipeline for LLM Applications: From Raw Input to Safe Output", "url": "/articles/kubernetes/ai-content-filtering-pipeline/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ai-content-filtering-pipeline/", "category": "kubernetes", "tags": ["content-filtering","llm-security","sidecar","input-classification","output-scanning"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-03-01T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer","sre"] }, { "title": "AI Red Teaming Methodology: Structured Adversarial Testing for LLM Applications", "url": "/articles/kubernetes/ai-red-teaming/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ai-red-teaming/", "category": "kubernetes", "tags": ["red-teaming","adversarial-testing","ai-security","llm-security","safety-testing"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-03-01T00:00:00.000Z", "personas": ["security-engineer","ai-ml-engineer"] }, { "title": "Kubernetes Image Policy Enforcement: Cosign, Notation, and Admission Webhooks", "url": "/articles/kubernetes/image-policy-enforcement/", "full_url": "https://www.systemshardening.com/articles/kubernetes/image-policy-enforcement/", "category": "kubernetes", "tags": ["kubernetes","cosign","sigstore","image-signing","kyverno","gatekeeper","supply-chain"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-02-26T00:00:00.000Z", "personas": ["platform-engineer","devops-engineer","security-engineer"] }, { "title": "Linux Firewall Hardening with nftables: Replacing iptables in Production", "url": "/articles/linux/nftables/", "full_url": "https://www.systemshardening.com/articles/linux/nftables/", "category": "linux", "tags": ["nftables","firewall","iptables","linux","network-security"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-02-26T00:00:00.000Z", "personas": ["systems-engineer","sre"] }, { "title": "Helm Supply Chain Security: OCI Registries, Provenance Verification, and Chart Mirroring", "url": "/articles/cicd/helm-supply-chain-security/", "full_url": "https://www.systemshardening.com/articles/cicd/helm-supply-chain-security/", "category": "cicd", "tags": ["helm","supply-chain","cosign","oci","kyverno","chart-signing"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-02-25T00:00:00.000Z", "personas": ["devops-engineer","platform-engineer"] }, { "title": "Security Infrastructure Disaster Recovery: Vault, PKI, and SIEM Failover", "url": "/articles/cross-cutting/security-infra-disaster-recovery/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/security-infra-disaster-recovery/", "category": "cross-cutting", "tags": ["disaster-recovery","vault","pki","siem","observability","resilience"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-02-24T00:00:00.000Z", "personas": ["sre","security-engineer"] }, { "title": "Securing RAG Pipelines: Vector Database Access Control, Document Poisoning, and Retrieval Filtering", "url": "/articles/kubernetes/rag-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/rag-security/", "category": "kubernetes", "tags": ["rag","vector-database","document-poisoning","retrieval","ai-security"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-02-24T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer"] }, { "title": "Detecting AI-Generated Attacks: Moving from Signatures to Behavioural Baselines", "url": "/articles/ai-landscape/detecting-ai-attacks/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/detecting-ai-attacks/", "category": "ai-landscape", "tags": ["ai-security","behavioural-detection","falco","tetragon","ebpf","anomaly-detection"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-02-23T00:00:00.000Z", "personas": ["security-engineer","sre"] }, { "title": "Pod Security Context Deep Dive: runAsNonRoot, readOnlyRootFilesystem, and Capabilities", "url": "/articles/kubernetes/pod-security-context/", "full_url": "https://www.systemshardening.com/articles/kubernetes/pod-security-context/", "category": "kubernetes", "tags": ["kubernetes","security-context","containers","pod-security","capabilities"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-02-23T00:00:00.000Z", "personas": ["platform-engineer","devops-engineer"] }, { "title": "WAF Rule Tuning That Does Not Break Legitimate Traffic: ModSecurity and Coraza in Practice", "url": "/articles/network/waf-rule-tuning/", "full_url": "https://www.systemshardening.com/articles/network/waf-rule-tuning/", "category": "network", "tags": ["waf","modsecurity","coraza","owasp-crs","nginx","false-positives","rule-tuning"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-02-22T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "eBPF-Based Security Monitoring: Tetragon for Process, Network, and File Observability", "url": "/articles/observability/ebpf-tetragon/", "full_url": "https://www.systemshardening.com/articles/observability/ebpf-tetragon/", "category": "observability", "tags": ["ebpf","tetragon","cilium","runtime-security","process-monitoring","falco"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-02-22T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Adversarial Attacks on Embeddings: Poisoning Vector Stores and Manipulating Semantic Search", "url": "/articles/ai-landscape/adversarial-embedding-attacks/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/adversarial-embedding-attacks/", "category": "ai-landscape", "tags": ["embeddings","vector-stores","adversarial-ml","rag-security","semantic-search","poisoning"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-02-21T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer"] }, { "title": "Migrating from Self-Hosted Prometheus to Grafana Cloud: Preserving Dashboards, Alerts, and History", "url": "/articles/cross-cutting/migrate-prometheus-grafana-cloud/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/migrate-prometheus-grafana-cloud/", "category": "cross-cutting", "tags": ["prometheus","grafana-cloud","migration","observability","remote-write"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-02-21T00:00:00.000Z", "personas": ["sre","platform-engineer"] }, { "title": "Cgroup v2 Resource Isolation: Preventing Resource Exhaustion Attacks on Shared Systems", "url": "/articles/linux/cgroup-resource-isolation/", "full_url": "https://www.systemshardening.com/articles/linux/cgroup-resource-isolation/", "category": "linux", "tags": ["cgroups","resource-isolation","systemd","containers","linux","denial-of-service"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-02-21T00:00:00.000Z", "personas": ["systems-engineer","platform-engineer"] }, { "title": "SELinux in Production: Writing Custom Policies Without Losing Your Mind", "url": "/articles/linux/selinux/", "full_url": "https://www.systemshardening.com/articles/linux/selinux/", "category": "linux", "tags": ["selinux","mac","hardening","rhel","policy","audit2allow"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-02-21T00:00:00.000Z", "personas": ["systems-engineer","security-engineer"] }, { "title": "AI-Powered Vulnerability Discovery: What Automated Code Analysis Means for Your Patch Cycle", "url": "/articles/ai-landscape/ai-vulnerability-discovery/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-vulnerability-discovery/", "category": "ai-landscape", "tags": ["ai-security","vulnerability-management","patching","trivy","cicd","snyk"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-02-19T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","sre"] }, { "title": "Artifact Integrity Verification: Checksums, Signatures, and Transparency Logs", "url": "/articles/cicd/artifact-integrity/", "full_url": "https://www.systemshardening.com/articles/cicd/artifact-integrity/", "category": "cicd", "tags": ["artifact-integrity","cosign","in-toto","slsa","sigstore","supply-chain"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-02-19T00:00:00.000Z", "personas": ["devops-engineer","security-engineer"] }, { "title": "Agent-to-Agent Trust: Authentication, Delegation, and Capability Boundaries in Multi-Agent Systems", "url": "/articles/ai-landscape/agent-to-agent-trust/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/agent-to-agent-trust/", "category": "ai-landscape", "tags": ["ai-agents","multi-agent","trust","delegation","capability-tokens","zero-trust"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-02-18T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","ai-ml-engineer"] }, { "title": "Securing LLM Deployments: Model Loading, Runtime Isolation, and Inference Infrastructure", "url": "/articles/ai-landscape/llm-deployment-security/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/llm-deployment-security/", "category": "ai-landscape", "tags": ["llm-deployment","model-security","gpu-isolation","inference-security","container-sandboxing","kubernetes"], "difficulty": "advanced", "reading_time_minutes": 20, "date": "2026-02-18T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ai-ml-engineer"] }, { "title": "Vector Database Security: Access Control, Embedding Protection, and Query Isolation", "url": "/articles/kubernetes/vector-database-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/vector-database-security/", "category": "kubernetes", "tags": ["vector-database","qdrant","weaviate","embeddings","rag","ai-security"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-02-18T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer","platform-engineer"] }, { "title": "The Threat Model Has Changed: Rewriting Security Assumptions for an AI-Augmented World", "url": "/articles/ai-landscape/threat-model-ai-augmented/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/threat-model-ai-augmented/", "category": "ai-landscape", "tags": ["threat-modelling","ai-security","zero-trust","fido2","behavioural-detection","stride"], "difficulty": "advanced", "reading_time_minutes": 20, "date": "2026-02-17T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","sre"] }, { "title": "A/B Model Deployment Safety: Canary Rollouts, Traffic Splitting, and Automated Rollback for ML Models", "url": "/articles/kubernetes/ab-deployment-safety/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ab-deployment-safety/", "category": "kubernetes", "tags": ["canary","rollback","istio","ml-deployment","traffic-splitting","ai-security"], "difficulty": "intermediate", "reading_time_minutes": 17, "date": "2026-02-16T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer","sre"] }, { "title": "Kubernetes API Server Hardening: Flags, Authentication, and Audit Logging", "url": "/articles/kubernetes/api-server-hardening/", "full_url": "https://www.systemshardening.com/articles/kubernetes/api-server-hardening/", "category": "kubernetes", "tags": ["kubernetes","api-server","authentication","audit-logging","oidc"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-02-15T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Time Synchronization Security: Hardening NTP and Chrony Against Manipulation", "url": "/articles/linux/time-sync-security/", "full_url": "https://www.systemshardening.com/articles/linux/time-sync-security/", "category": "linux", "tags": ["ntp","chrony","nts","time-synchronization","hardening","linux"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-02-15T00:00:00.000Z", "personas": ["systems-engineer","sre"] }, { "title": "Securing GitHub Actions: Permissions, Pinning, and Workflow Injection Prevention", "url": "/articles/cicd/securing-github-actions/", "full_url": "https://www.systemshardening.com/articles/cicd/securing-github-actions/", "category": "cicd", "tags": ["github-actions","cicd","supply-chain","workflow-security","oidc"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-02-13T00:00:00.000Z", "personas": ["devops-engineer","security-engineer"] }, { "title": "Automated OS Hardening with Ansible: A Production-Ready Playbook Collection", "url": "/articles/linux/ansible-os-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/ansible-os-hardening/", "category": "linux", "tags": ["ansible","automation","hardening","cis-benchmark","compliance","molecule"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-02-12T00:00:00.000Z", "personas": ["devops-engineer","systems-engineer"] }, { "title": "Securing Message Queues in Production: Kafka, RabbitMQ, and NATS Hardening", "url": "/articles/cross-cutting/message-queue-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/message-queue-hardening/", "category": "cross-cutting", "tags": ["kafka","rabbitmq","nats","message-queue","tls","authentication"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-02-10T00:00:00.000Z", "personas": ["platform-engineer","systems-engineer"] }, { "title": "Log Integrity and Tamper Detection: Ensuring Your Audit Trail Is Trustworthy", "url": "/articles/observability/log-integrity/", "full_url": "https://www.systemshardening.com/articles/observability/log-integrity/", "category": "observability", "tags": ["log-integrity","tamper-detection","immutable-storage","hash-chaining","forensics"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-02-10T00:00:00.000Z", "personas": ["security-engineer","sre"] }, { "title": "Seccomp Profiles for Production Workloads: Writing, Testing, and Deploying Custom Profiles", "url": "/articles/kubernetes/seccomp-profiles/", "full_url": "https://www.systemshardening.com/articles/kubernetes/seccomp-profiles/", "category": "kubernetes", "tags": ["kubernetes","seccomp","syscalls","container-security","runtime-security"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-02-09T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Container Escape Detection: Runtime Signals, Kernel Indicators, and Response Automation", "url": "/articles/observability/container-escape-detection/", "full_url": "https://www.systemshardening.com/articles/observability/container-escape-detection/", "category": "observability", "tags": ["container-security","falco","tetragon","runtime-detection","container-escape","kubernetes"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-02-07T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Multi-Cloud Hardening: Consistent Security Posture Across Providers", "url": "/articles/cross-cutting/multi-cloud-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/multi-cloud-hardening/", "category": "cross-cutting", "tags": ["multi-cloud","terraform","iam","observability","aws","gcp","security-posture"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-02-04T00:00:00.000Z", "personas": ["platform-engineer","devops-engineer"] }, { "title": "AI Model Cards in Production: Documenting Capabilities, Limitations, and Security Properties", "url": "/articles/ai-landscape/ai-model-cards/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-model-cards/", "category": "ai-landscape", "tags": ["model-cards","ai-governance","documentation","supply-chain","ml-ops"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-02-02T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer","platform-engineer"] }, { "title": "PAM Configuration Hardening: Password Policies, Login Controls, and MFA Integration", "url": "/articles/linux/pam-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/pam-hardening/", "category": "linux", "tags": ["pam","authentication","mfa","yubikey","password-policy","faillock"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-02-02T00:00:00.000Z", "personas": ["systems-engineer","security-engineer"] }, { "title": "Hardening the AI Control Plane: Kill Switches, Rate Limits, and Human-in-the-Loop Gates", "url": "/articles/ai-landscape/ai-control-plane/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-control-plane/", "category": "ai-landscape", "tags": ["ai-agents","control-plane","kill-switch","rate-limiting","safety"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-02-01T00:00:00.000Z", "personas": ["platform-engineer","ai-ml-engineer","sre"] }, { "title": "How AI Is Compressing the Attacker Timeline: What Defenders Need to Change Now", "url": "/articles/ai-landscape/ai-compressing-attacker-timeline/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-compressing-attacker-timeline/", "category": "ai-landscape", "tags": ["ai-security","threat-landscape","behavioural-detection","patch-management","falco","tetragon"], "difficulty": "advanced", "reading_time_minutes": 20, "date": "2026-01-30T00:00:00.000Z", "personas": ["security-engineer","sre","platform-engineer"] }, { "title": "Membership Inference Defence: Preventing Attackers from Determining Training Data Inclusion", "url": "/articles/ai-landscape/membership-inference-defence/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/membership-inference-defence/", "category": "ai-landscape", "tags": ["membership-inference","differential-privacy","privacy","ml-security","training-data"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-01-28T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer"] }, { "title": "Dependency Pinning and Lockfile Integrity: Preventing Supply Chain Attacks in CI", "url": "/articles/cicd/dependency-pinning/", "full_url": "https://www.systemshardening.com/articles/cicd/dependency-pinning/", "category": "cicd", "tags": ["dependencies","lockfile","supply-chain","npm","pip","go"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-01-28T00:00:00.000Z", "personas": ["devops-engineer","security-engineer"] }, { "title": "etcd Encryption at Rest: Configuration, Key Rotation, and Performance Impact", "url": "/articles/kubernetes/etcd-encryption/", "full_url": "https://www.systemshardening.com/articles/kubernetes/etcd-encryption/", "category": "kubernetes", "tags": ["kubernetes","etcd","encryption","secrets","key-management"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-01-28T00:00:00.000Z", "personas": ["platform-engineer","sre"] }, { "title": "Kernel Module Hardening: Blacklisting, Signing, and Preventing Runtime Loading", "url": "/articles/linux/kernel-module-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/kernel-module-hardening/", "category": "linux", "tags": ["kernel-modules","modprobe","module-signing","hardening","linux"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-01-28T00:00:00.000Z", "personas": ["systems-engineer","security-engineer"] }, { "title": "Zero Trust Networking: Identity-Based Access Beyond Perimeter Security", "url": "/articles/cross-cutting/zero-trust-networking/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/zero-trust-networking/", "category": "cross-cutting", "tags": ["zero-trust","spiffe","spire","mtls","istio","identity","service-mesh"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-01-27T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Kubernetes Audit Log Pipeline Design: From API Server to SIEM", "url": "/articles/observability/k8s-audit-log-design/", "full_url": "https://www.systemshardening.com/articles/observability/k8s-audit-log-design/", "category": "observability", "tags": ["kubernetes","audit-logging","siem","api-server","security-monitoring"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-01-27T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Sandboxing AI Agent Tool Use: Filesystem, Network, and Process Isolation for Autonomous Actions", "url": "/articles/ai-landscape/agent-tool-use-sandboxing/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/agent-tool-use-sandboxing/", "category": "ai-landscape", "tags": ["ai-agents","sandboxing","gvisor","firecracker","isolation","filesystem-security"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-01-26T00:00:00.000Z", "personas": ["platform-engineer","security-engineer","ai-ml-engineer"] }, { "title": "Claude for Security Detection: How Large Language Models Find What Scanners Miss", "url": "/articles/ai-landscape/claude-security-detection/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/claude-security-detection/", "category": "ai-landscape", "tags": ["claude","llm","security-detection","vulnerability-analysis","code-review","audit","anthropic"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-01-26T00:00:00.000Z", "personas": ["security-engineer","devops-engineer","platform-engineer","sre"] }, { "title": "Implementing AI Guardrails: Input Validation, Output Filtering, and Safety Classifiers in Production", "url": "/articles/kubernetes/ai-guardrails-implementation/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ai-guardrails-implementation/", "category": "kubernetes", "tags": ["guardrails","ai-safety","input-validation","output-filtering","content-safety","pii-detection"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-01-26T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer","sre"] }, { "title": "Hardening Container Base Images: From ubuntu:latest to a Minimal, Signed, Scannable Image", "url": "/articles/linux/container-base-images/", "full_url": "https://www.systemshardening.com/articles/linux/container-base-images/", "category": "linux", "tags": ["containers","docker","base-images","distroless","cosign","trivy","hardening"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-01-26T00:00:00.000Z", "personas": ["devops-engineer","platform-engineer"] }, { "title": "Using AI to Harden Systems: Automated Configuration Review and Remediation", "url": "/articles/ai-landscape/ai-assisted-hardening/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-assisted-hardening/", "category": "ai-landscape", "tags": ["ai-security","llm","iac-review","automation","configuration","remediation"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-01-23T00:00:00.000Z", "personas": ["devops-engineer","security-engineer","platform-engineer"] }, { "title": "Reproducible Builds for Container Images: Achieving Deterministic Output", "url": "/articles/cicd/reproducible-builds/", "full_url": "https://www.systemshardening.com/articles/cicd/reproducible-builds/", "category": "cicd", "tags": ["reproducible-builds","containers","supply-chain","docker","buildah","ko"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-01-23T00:00:00.000Z", "personas": ["devops-engineer","security-engineer"] }, { "title": "Hardening Kubernetes Ingress Controllers: NGINX, Traefik, and Envoy Compared", "url": "/articles/kubernetes/ingress-controller-comparison/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ingress-controller-comparison/", "category": "kubernetes", "tags": ["kubernetes","ingress","nginx","traefik","envoy","tls","waf"], "difficulty": "intermediate", "reading_time_minutes": 21, "date": "2026-01-23T00:00:00.000Z", "personas": ["platform-engineer","sre"] }, { "title": "LLM Observability in Production: Monitoring Latency, Token Usage, Safety Violations, and Drift", "url": "/articles/kubernetes/llm-observability-production/", "full_url": "https://www.systemshardening.com/articles/kubernetes/llm-observability-production/", "category": "kubernetes", "tags": ["observability","llm-monitoring","prometheus","grafana","metrics","drift-detection"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-01-23T00:00:00.000Z", "personas": ["sre","ai-ml-engineer","security-engineer"] }, { "title": "Crypto Mining Detection: CPU Patterns, Network Signatures, and Automated Response", "url": "/articles/observability/crypto-mining-detection/", "full_url": "https://www.systemshardening.com/articles/observability/crypto-mining-detection/", "category": "observability", "tags": ["cryptojacking","detection","falco","prometheus","kubernetes","runtime-security"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-01-23T00:00:00.000Z", "personas": ["security-engineer","sre"] }, { "title": "Building Detection Rules That Don't Cry Wolf: Alert Design for Security Events", "url": "/articles/observability/detection-rules/", "full_url": "https://www.systemshardening.com/articles/observability/detection-rules/", "category": "observability", "tags": ["alerting","detection","false-positives","correlation","prometheus","falco"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-01-23T00:00:00.000Z", "personas": ["security-engineer","sre"] }, { "title": "Hardening Model Serving Frameworks: TorchServe, Triton, and vLLM Security Configuration", "url": "/articles/kubernetes/model-serving-hardening/", "full_url": "https://www.systemshardening.com/articles/kubernetes/model-serving-hardening/", "category": "kubernetes", "tags": ["torchserve","triton","vllm","model-serving","ai-security","hardening"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-01-22T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer"] }, { "title": "Securing Fine-Tuning Pipelines: Data Isolation, Checkpoint Integrity, and Access Control", "url": "/articles/kubernetes/fine-tuning-pipeline-security/", "full_url": "https://www.systemshardening.com/articles/kubernetes/fine-tuning-pipeline-security/", "category": "kubernetes", "tags": ["fine-tuning","ml-pipeline","data-poisoning","checkpoint-signing","ai-security"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-01-21T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer","security-engineer"] }, { "title": "GitOps Security Model: Separation of Duties, Drift Detection, and Rollback Controls", "url": "/articles/cicd/gitops-security/", "full_url": "https://www.systemshardening.com/articles/cicd/gitops-security/", "category": "cicd", "tags": ["gitops","argocd","flux","kubernetes","drift-detection","rbac"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-01-20T00:00:00.000Z", "personas": ["devops-engineer","platform-engineer"] }, { "title": "Preventing HTTP Request Smuggling: Configuration for NGINX, HAProxy, and Envoy", "url": "/articles/network/request-smuggling-prevention/", "full_url": "https://www.systemshardening.com/articles/network/request-smuggling-prevention/", "category": "network", "tags": ["request-smuggling","nginx","haproxy","envoy","http-parsing","reverse-proxy","security"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-01-20T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "Hardening the Kubernetes Scheduler: Topology Constraints and Security-Aware Placement", "url": "/articles/kubernetes/scheduler-hardening/", "full_url": "https://www.systemshardening.com/articles/kubernetes/scheduler-hardening/", "category": "kubernetes", "tags": ["kubernetes","scheduler","node-affinity","taints","topology","multi-tenancy"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-01-19T00:00:00.000Z", "personas": ["platform-engineer","sre"] }, { "title": "Certificate Expiry Monitoring: Automated Detection Across TLS, mTLS, and Signing Certificates", "url": "/articles/observability/certificate-expiry-monitoring/", "full_url": "https://www.systemshardening.com/articles/observability/certificate-expiry-monitoring/", "category": "observability", "tags": ["certificates","tls","monitoring","prometheus","cert-manager","expiry"], "difficulty": "intermediate", "reading_time_minutes": 15, "date": "2026-01-19T00:00:00.000Z", "personas": ["sre","platform-engineer"] }, { "title": "Incident Response Runbooks: Structured Procedures for Common Security Events", "url": "/articles/observability/incident-response-runbooks/", "full_url": "https://www.systemshardening.com/articles/observability/incident-response-runbooks/", "category": "observability", "tags": ["incident-response","runbooks","alerting","automation","security-operations"], "difficulty": "intermediate", "reading_time_minutes": 17, "date": "2026-01-19T00:00:00.000Z", "personas": ["sre","security-engineer"] }, { "title": "AI Credential Delegation: Short-Lived Tokens, Scope Narrowing, and Audit Trails for Agent Access", "url": "/articles/ai-landscape/ai-credential-delegation/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-credential-delegation/", "category": "ai-landscape", "tags": ["ai-agents","credentials","vault","short-lived-tokens","audit","just-in-time-access"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-01-18T00:00:00.000Z", "personas": ["security-engineer","platform-engineer","ai-ml-engineer"] }, { "title": "AppArmor Profiles for Custom Applications: From Complain Mode to Enforce", "url": "/articles/linux/apparmor/", "full_url": "https://www.systemshardening.com/articles/linux/apparmor/", "category": "linux", "tags": ["apparmor","mac","hardening","ubuntu","profiles","confinement"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-01-18T00:00:00.000Z", "personas": ["systems-engineer","platform-engineer"] }, { "title": "Kubernetes Audit Log Analysis: What to Log, How to Query, and What to Alert On", "url": "/articles/kubernetes/audit-log-analysis/", "full_url": "https://www.systemshardening.com/articles/kubernetes/audit-log-analysis/", "category": "kubernetes", "tags": ["kubernetes","audit-logs","security-monitoring","siem","detection","compliance"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-01-17T00:00:00.000Z", "personas": ["security-engineer","platform-engineer"] }, { "title": "systemd Unit Hardening: ProtectSystem, PrivateTmp, and the Full Sandbox Toolkit", "url": "/articles/linux/systemd-unit-hardening/", "full_url": "https://www.systemshardening.com/articles/linux/systemd-unit-hardening/", "category": "linux", "tags": ["systemd","sandboxing","hardening","linux","capabilities","seccomp"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-01-17T00:00:00.000Z", "personas": ["systems-engineer","devops-engineer"] }, { "title": "HTTP Security Headers in Production: CSP, HSTS, and Permissions-Policy Without Breaking Your App", "url": "/articles/network/http-security-headers/", "full_url": "https://www.systemshardening.com/articles/network/http-security-headers/", "category": "network", "tags": ["security-headers","csp","hsts","permissions-policy","content-security-policy","nginx","hardening"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-01-17T00:00:00.000Z", "personas": ["platform-engineer","devops-engineer"] }, { "title": "Hardening WebSocket Connections: Authentication, Rate Limiting, and Origin Validation", "url": "/articles/network/websocket-hardening/", "full_url": "https://www.systemshardening.com/articles/network/websocket-hardening/", "category": "network", "tags": ["websocket","rate-limiting","authentication","origin-validation","nginx","envoy","security"], "difficulty": "intermediate", "reading_time_minutes": 18, "date": "2026-01-16T00:00:00.000Z", "personas": ["platform-engineer","security-engineer"] }, { "title": "Centralized Logging Architecture for Security: Fluentd, Vector, and Loki Compared", "url": "/articles/observability/centralized-logging/", "full_url": "https://www.systemshardening.com/articles/observability/centralized-logging/", "category": "observability", "tags": ["logging","fluentd","vector","loki","elasticsearch","architecture"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-01-16T00:00:00.000Z", "personas": ["sre","security-engineer"] }, { "title": "Securing Model Artifact Pipelines: From Training to Serving", "url": "/articles/kubernetes/model-artifact-pipelines/", "full_url": "https://www.systemshardening.com/articles/kubernetes/model-artifact-pipelines/", "category": "kubernetes", "tags": ["ai","model-signing","cosign","oci","supply-chain","mlops"], "difficulty": "advanced", "reading_time_minutes": 14, "date": "2026-01-15T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer","devops-engineer"] }, { "title": "Building a Security Audit Log Pipeline That Scales: auditd to Elasticsearch", "url": "/articles/observability/audit-log-pipeline/", "full_url": "https://www.systemshardening.com/articles/observability/audit-log-pipeline/", "category": "observability", "tags": ["auditd","logging","elasticsearch","loki","security-monitoring","audit"], "difficulty": "advanced", "reading_time_minutes": 22, "date": "2026-01-13T00:00:00.000Z", "personas": ["security-engineer","sre"] }, { "title": "AI Incident Reporting: Detection, Classification, and Response Procedures for AI System Failures", "url": "/articles/ai-landscape/ai-incident-reporting/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/ai-incident-reporting/", "category": "ai-landscape", "tags": ["incident-response","ai-incidents","runbooks","model-failures","post-incident-review"], "difficulty": "advanced", "reading_time_minutes": 18, "date": "2026-01-12T00:00:00.000Z", "personas": ["sre","security-engineer","ai-ml-engineer"] }, { "title": "Claude for Security Incident Triage: Rapid Analysis of Logs, Alerts, and Blast Radius", "url": "/articles/ai-landscape/claude-incident-triage/", "full_url": "https://www.systemshardening.com/articles/ai-landscape/claude-incident-triage/", "category": "ai-landscape", "tags": ["claude","llm","incident-response","triage","log-analysis","blast-radius","siem"], "difficulty": "intermediate", "reading_time_minutes": 20, "date": "2026-01-12T00:00:00.000Z", "personas": ["security-engineer","sre","incident-responder","devops-engineer"] }, { "title": "Security Hardening for Small Teams: Prioritising Controls When You Cannot Do Everything", "url": "/articles/cross-cutting/hardening-small-teams/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/hardening-small-teams/", "category": "cross-cutting", "tags": ["prioritisation","small-teams","hardening","maturity-model","roadmap"], "difficulty": "beginner", "reading_time_minutes": 18, "date": "2026-01-12T00:00:00.000Z", "personas": ["devops-engineer","systems-engineer"] }, { "title": "RLHF Data Protection: Securing Human Feedback Loops, Preference Data, and Reward Models", "url": "/articles/kubernetes/rlhf-data-protection/", "full_url": "https://www.systemshardening.com/articles/kubernetes/rlhf-data-protection/", "category": "kubernetes", "tags": ["rlhf","human-feedback","reward-model","data-protection","ai-security"], "difficulty": "advanced", "reading_time_minutes": 17, "date": "2026-01-12T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer","platform-engineer"] }, { "title": "SLSA Provenance for Container Images: From Build to Admission Control", "url": "/articles/cicd/slsa-provenance/", "full_url": "https://www.systemshardening.com/articles/cicd/slsa-provenance/", "category": "cicd", "tags": ["slsa","provenance","cosign","supply-chain","sigstore","admission-control"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-01-11T00:00:00.000Z", "personas": ["devops-engineer","security-engineer"] }, { "title": "AI API Key Management: Rotation, Scoping, and Abuse Detection", "url": "/articles/kubernetes/ai-api-key-management/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ai-api-key-management/", "category": "kubernetes", "tags": ["ai","api-keys","vault","secrets","rotation","abuse-detection"], "difficulty": "intermediate", "reading_time_minutes": 13, "date": "2026-01-11T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer","devops-engineer"] }, { "title": "Prompt Injection Defence in Production: Input Validation, Output Filtering, and Monitoring", "url": "/articles/kubernetes/prompt-injection/", "full_url": "https://www.systemshardening.com/articles/kubernetes/prompt-injection/", "category": "kubernetes", "tags": ["prompt-injection","ai-security","input-validation","output-filtering","guardrails"], "difficulty": "advanced", "reading_time_minutes": 16, "date": "2026-01-11T00:00:00.000Z", "personas": ["ai-ml-engineer","security-engineer"] }, { "title": "Filesystem Mount Options That Matter: noexec, nosuid, nodev, and Beyond", "url": "/articles/linux/filesystem-mount-options/", "full_url": "https://www.systemshardening.com/articles/linux/filesystem-mount-options/", "category": "linux", "tags": ["mount-options","filesystem","noexec","nosuid","nodev","hardening","linux"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-01-08T00:00:00.000Z", "personas": ["systems-engineer","sre"] }, { "title": "gRPC Security in Production: TLS, Authentication, and Interceptor-Based Access Control", "url": "/articles/network/grpc-security/", "full_url": "https://www.systemshardening.com/articles/network/grpc-security/", "category": "network", "tags": ["grpc","tls","mtls","authentication","interceptors","envoy","security"], "difficulty": "intermediate", "reading_time_minutes": 22, "date": "2026-01-08T00:00:00.000Z", "personas": ["platform-engineer","devops-engineer"] }, { "title": "Network Segmentation for AI Training Infrastructure", "url": "/articles/kubernetes/ai-training-network-segmentation/", "full_url": "https://www.systemshardening.com/articles/kubernetes/ai-training-network-segmentation/", "category": "kubernetes", "tags": ["ai","network-policy","training","segmentation","cilium","gpu"], "difficulty": "advanced", "reading_time_minutes": 15, "date": "2026-01-07T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer","security-engineer"] }, { "title": "Migrating from Self-Managed Kubernetes to a Managed Provider Without Losing Your Security Posture", "url": "/articles/cross-cutting/migrate-to-managed-k8s/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/migrate-to-managed-k8s/", "category": "cross-cutting", "tags": ["kubernetes","migration","managed-kubernetes","civo","digitalocean","security"], "difficulty": "advanced", "reading_time_minutes": 22, "date": "2026-01-06T00:00:00.000Z", "personas": ["platform-engineer","devops-engineer"] }, { "title": "Observability for LLM Applications: Token Usage, Latency Anomalies, and Output Classification", "url": "/articles/kubernetes/llm-observability/", "full_url": "https://www.systemshardening.com/articles/kubernetes/llm-observability/", "category": "kubernetes", "tags": ["llm","observability","opentelemetry","token-usage","cost-tracking","ai"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-01-05T00:00:00.000Z", "personas": ["ai-ml-engineer","sre"] }, { "title": "Model Registry Access Control: Versioning, Signing, and Promotion Gates", "url": "/articles/kubernetes/model-registry-access-control/", "full_url": "https://www.systemshardening.com/articles/kubernetes/model-registry-access-control/", "category": "kubernetes", "tags": ["model-registry","cosign","rbac","supply-chain","ai-security"], "difficulty": "intermediate", "reading_time_minutes": 16, "date": "2026-01-03T00:00:00.000Z", "personas": ["ai-ml-engineer","platform-engineer","security-engineer"] }, { "title": "Hardening Redis in Production: Authentication, TLS, ACLs, and Command Restriction", "url": "/articles/cross-cutting/redis-hardening/", "full_url": "https://www.systemshardening.com/articles/cross-cutting/redis-hardening/", "category": "cross-cutting", "tags": ["redis","database","tls","acl","authentication","hardening"], "difficulty": "intermediate", "reading_time_minutes": 14, "date": "2026-01-01T00:00:00.000Z", "personas": ["systems-engineer","sre"] }, { "title": "Kubernetes Service Account Token Security: Bound Tokens, Projected Volumes, and OIDC", "url": "/articles/kubernetes/service-account-tokens/", "full_url": "https://www.systemshardening.com/articles/kubernetes/service-account-tokens/", "category": "kubernetes", "tags": ["kubernetes","service-accounts","tokens","oidc","workload-identity"], "difficulty": "intermediate", "reading_time_minutes": 19, "date": "2026-01-01T00:00:00.000Z", "personas": ["platform-engineer","devops-engineer"] } ] }