This is a reflective end-of-year post on using AI to make our app wishes come true. Happy holidays! ❄️ Markets of one I came across Robin Sloan’s “An app can be a home-cooked meal” early this ...

Azure Key Vault Contributors are not allowed access to Key Vault data. But did you know they can still gain access to Key Vault keys, secrets, and certificates when a key vault is using access poli...

The Azure Resource Graph Explorer is a great way to quickly understand your Azure netework exposure. Simple KQL queries let you review all your resources at once, free of charge! More complex joins...

This post documents the process to create and test a new attack technique for Stratus Red Team, a threat emulation tool built in Terraform and Go. Introduction I recently had the opportunity to co...

Quick notes on Terraform + Entra ID. On quickly building labs I recently needed a quick Entra ID test environment to better understand groups, role assignments, and administrative units. Several g...

I recently published an article on Datadog Security Labs. This article is about how Entra ID’s restricted management and hidden membership administrative units (AUs) can be used for privileged pers...

Learning from Wiz’s EKS Cluster Games in AWS. Last November, the Wiz team released the EKS Cluster Games for practice attacking Amazon Elastic Kubernetes Service (EKS) environments. I had a blast ...

Creativity fuels us: End-of-year reflections. The Talk In October, I had 5 minutes to address the end-of-day crowd at BSides Toronto during a spontaneous Lightning Talks session. I love Lightning...

Learning from Wiz’s Big IAM Challenge in AWS. In the leadup to fwd:cloudsec last month, the Wiz team released The Big IAM Challenge. While I didn’t have time to work on this CTF ahead of the confe...

This post is a part of the “Career Fundamentals” series. How to become comfortable & confident with self-guided projects and learning. Why Learn Hands On? These days, it feels like there...