Thoughts on Technology, Security and Code

Zero Trust gets thrown around as a marketing term so often that it’s easy to lose sight of what it actually changes architecturally. At its core, it’s a shift in where you place trust: instead of the network edge (is this traffic coming from inside the VPN?), you trust identity (who is making this request, and can they prove it?). That shift puts three things at the center of your architecture: an Identity Provider (IDP), OAuth2, and JWTs. They are distinct tools that get conflated constantly. Here’s how they actually fit together. ...

The Backstory and Where We All Come From Passwords, private keys, and API keys are spread across systems and easy to compromise — that’s the normal situation in many environments. Most have rogue credentials scattered across servers, and the workforce still relies on passwords rather than moving toward Zero Trust IAM. This must change, and fast. We all know this problem exists somewhere in our environment. It’s easier in cloud or PaaS; even OpenShift or Kubernetes make it more manageable. But a broad, system-wide architecture with support for a wide selection of runtimes, operating systems, and cloud or on-prem server farms makes it hard. So hard, in fact, that I regularly stumble upon servers with plaintext files containing passwords, API keys, and certificates. ...

The “AI agent” label is doing a lot of heavy lifting right now. It covers a chatbot that drafts an email, a model that ships code on its own, and an autonomous system that operates a browser on your behalf. Same word, very different stakes. There are roughly four shapes these tools come in: chat, copilot, coding agent, autonomous agent. The lines blur, but the autonomy levels don’t. Here’s what each is good at, where each breaks, and how to decide which one to actually reach for. ...

You can paste a system description into an LLM and get back a STRIDE analysis in 30 seconds. A full threat list, categorised by type, with suggested mitigations. It looks thorough. It might even be thorough. That’s the problem. What LLMs Are Actually Good At Start with the honest case for using AI in threat modelling, because it’s real. Breadth coverage. A well-trained LLM has processed thousands of architecture descriptions, CVEs, and security design documents. It won’t forget to check for SSRF. It won’t skip repudiation because the session ran long. It has no blind spots born from familiarity with the system. For the common, well-documented threat categories, it’s genuinely reliable. ...

77% of breaches involve stolen credentials. Passwords are the problem, and we’ve known it for decades. Passkeys are the fix — and unlike previous attempts, they’re actually taking hold. What a Passkey Is A passkey is a cryptographic key pair that replaces your password. When you register with a service, your device generates two keys: Public key — sent to and stored on the service’s server. Not sensitive. Useless on its own. Private key — stays on your device, inside dedicated secure hardware. Never leaves. Ever. No shared secret. No password in a database to steal. No breach list to check your credentials against. ...

Most security work is reactive. Something breaks, you fix it. Threat modelling is the opposite: you sit down before anything breaks and ask what could go wrong? Then you build defences before the attacker shows up. It sounds obvious. Most teams still skip it. What Threat Modelling Is Threat modelling is a structured process for identifying what you’re protecting, who might attack it, how they’d do it, and what you’re going to do about it. OWASP distils it into four questions: ...

Anthropic announced Claude Mythos Preview on April 7, 2026. They described it as “a step change” and “the most capable model we’ve built to date.” That’s standard launch language. What isn’t standard is everything that came after. Here’s what the model actually does, why governments are paying attention, and what defenders can do now. What Mythos is Mythos is a general-purpose language model — 1M token context window, 128K max output, knowledge cutoff December 2025. On most benchmarks it performs as you’d expect from a frontier model at this scale. ...

SASE — Secure Access Service Edge — pronounced as “sassy” (/ˈsæsi/), is a word invented by a Gartner analyst to sell enterprise contracts. It worked. But the underlying ideas are genuinely useful, and the tools to implement them are now free. If you run a home lab, self-host services, or have workloads scattered across Cloudflare Workers, Railway, or Fly.io, this is for you. What SASE Actually Means SASE combines two things that traditionally lived in separate products: ...

I wanted a simple blog: write a Markdown file, push to GitHub, and have it live on my domain within a minute. No CMS, no server to maintain, no monthly bill. Here’s exactly how I built it. The Stack Hugo — static site generator. Builds the entire site in under 100ms. PaperMod — clean, fast Hugo theme with dark mode, tags, and RSS out of the box. GitHub — source of truth. Every push triggers a deploy. GitHub Actions — builds the site and deploys it on every push to master. Cloudflare Workers + Assets — hosts and serves the static files globally. Free tier is more than enough for a personal blog. Cloudflare DNS — manages the custom domain with automatic SSL. Total cost: zero. ...