Blog
Practical security engineering — no fluff, no FUD.
GitHub Actions to AWS Without Access Keys: OIDC Federation Step-by-Step
Stop storing AWS access keys in GitHub Secrets. Use GitHub Actions OIDC AWS federation for temporary credentials that expire automatically.
The Startup Security Checklist: Seed to Series A
The startup security checklist from seed to Series A. Actionable items with time estimates so you can stop guessing and start shipping secure.
SOC 2 for Startups: What It Actually Takes
SOC 2 for startups doesn't have to be a nightmare. Here's what it actually costs, how long it takes, and what to do this week.
Dependency Review: Catching Malicious Packages Before They Merge
GitHub's dependency review action scans every PR for new dependencies with known vulnerabilities and license changes before they hit your default branch. Here's how to set it up with real configs.
Infrastructure as Code Is Your Biggest Security Win
IaC isn't just an ops efficiency play — it's the single highest-leverage security decision most teams can make. Here's why treating infrastructure as code means every security control is reviewable, reproducible, and enforced before anything hits production.
Security Is a Feature, Not a Phase
Shift-left security means embedding security into design and CI/CD from day one — not adding a review gate before production. Here's what that actually looks like with real workflows, policies, and threat modeling practices.