Zero Trust is Not a Product: How to Actually Implement It
Every vendor is selling zero trust as a point solution. The reality is architectural — identity verification at every layer, from network to application. A practical roadmap.
Read issue →Security Newsletter
Threat Intelligence & Engineering Weekly
Every Monday, threat intelligence that engineering teams can act on. Zero trust architecture, supply chain security, cloud hardening, and the new attack vectors worth paying attention to.
Enterprise Security in the Age of Cloud and AI
The threat landscape has changed. Perimeter-based security stopped working once infrastructure spread across cloud regions, engineers went remote, and attack surfaces expanded to include AI models vulnerable to prompt injection. This newsletter covers what security teams actually deal with: zero trust implementation, supply chain risk, cloud hardening, and the new risks that come with AI.
Zero Trust is Architecture, Not a Product
Every major security vendor markets "zero trust" as a point solution: a firewall, an identity provider, a secrets manager. In reality, zero trust is architectural. It means verifying identity and authorization at every layer. Every network request, every API call, every resource access gets verified independently. No implicit trust for being "inside" the network.
Organizations that pulled this off did not buy a vendor solution. They built it piece by piece: mutual TLS for service-to-service communication, identity-driven access policies instead of IP-based rules, encrypted secrets management, continuous verification of user and service identity. It takes years and touches how applications communicate, how identity is managed, and how access control works.
Supply Chain Security: Managing Dependency Risk
The XZ Utils backdoor showed how a single compromised dependency can expose your entire infrastructure. The attack was sophisticated -- malicious code hidden in build artifacts, not in source. It exposed gaps in how most organizations manage open-source risk.
The teams handling this well have put several layers in place: dependency scanning for known vulnerabilities, provenance verification for binaries, restrictions on who can publish to internal package repos, and periodic audits of critical dependencies. The defense has to be layered because the risk is.
AI and LLMs: New Threat Vectors You Cannot Ignore
Any organization deploying language models is exposed to attack vectors that did not exist two years ago. Prompt injection can make models leak training data or bypass security controls. Model extraction techniques can steal proprietary models. Data exfiltration through context windows can expose information that was supposed to stay internal.
Security teams getting ahead of this are adding input validation and output filtering to AI systems, mapping what data flows into model context, and rate-limiting model endpoints. It is defensive security for a new class of application, and most orgs are behind.
STAY UPDATED
Threat intel every Monday
Practical security insights for engineering leaders.
RECENT ISSUES
Supply Chain Security After the XZ Utils Incident
One backdoored package nearly compromised infrastructure across the industry. How to audit your dependency tree and manage the risks of open-source supply chains.
Read issue →AI Threats: Prompt Injection, Model Theft, and Data Exfiltration
Every organization deploying LLMs is exposed to new attack vectors. Prompt injection attacks, model extraction, and data leakage through model context windows.
Read issue →