A technical blog about what actually works — and what doesn't. Real projects, documented honestly.
Who are you?
The skepticism about AI-generated code is earned. Here's what a workflow that treats that skepticism as a design requirement actually looks like — with the receipts.
Our cloud servers all shared one identity. Auditors were asking questions we couldn't answer. Here's how we fixed it in a day — and what it means for your team.
How agentic AI closed a compliance gap that weeks of investigation and an open AWS Support case couldn't crack — and what that workflow actually looks like.
Full technical implementation of SSM Session Manager per-user identity using Microsoft Entra ID SCIM, IAM Identity Center ABAC, and CloudFormation StackSets — including every gotcha.
A shared server identity problem that blocked audit readiness for weeks was resolved in a single day using agentic AI. What was delivered, what it cost, and what it means.
A compliance gap that required weeks of cross-ecosystem investigation was closed in a day. What that means for how engineering leaders should think about staffing and delivery.
How I built and designed gitrdun.net entirely with Claude Code — Bauhaus system, scrolling ticker, Playwright test suite, and the embarrassing truth about my design instincts.
126 sessions, 447 hours, 187 commits — and a detailed breakdown of every time I wasted effort, got burned by wrong approaches, and had Claude delete a branch called 'entire'. Here's what the /insights report actually surfaces and how to use it.
A behind-the-scenes look at building a verified AI research engine — through iteration, mistakes, and a few smart shortcuts.
An afternoon's investment. Permanent research capacity. What it means when your team stops operating on best-guess findings.
The same problem, the same system — explained for the people who own the work, not the people who built the plumbing.
Config Aggregators give you a centralized view of live resources across your org. Deleted resources vanish from that view entirely. Here's what actually works for deletion tracking.
By default, the CloudWatch agent tries to monitor every mounted filesystem. Here's the filter list that cuts it down to what actually matters, and why each category belongs in the exclusion list.
A Python tool with CLI and web interfaces for analyzing VPC Flow Logs — SSH brute force detection, data exfiltration monitoring, sensitive port analysis, and WHOIS-enriched external traffic — with automatic AWS resource discovery.
The default KMS deletion window is 7 days. A developer running a cleanup script on Friday afternoon leaves the production team 3 days to catch it. Here's the SCP that enforces a 30-day minimum.
Legitimate S3 operations trigger GuardDuty findings. Without context, every alert requires manual correlation against change management systems. Embedding change request metadata directly in S3 operations gives the correlation system something to work with automatically.