Andrew Lagutin’s Post

A few weeks ago I shared progress on SysGuard as a security baseline tool. This week I focused not on adding new checks - but on making the tool predictable for automation. Phase 2.2 is now complete: JSON reporting and severity policy. What changed: 🔸 Introduced a unified JSON contract for every check result (check_name, status, severity, message, data) 🔸 Added a formal severity model: - ok - warning - critical 🔸 Implemented a stable exit-code policy: 0 → ok 1 → warning 2 → critical 🔸 Removed early-exit logic - now every run produces a full system snapshot 🔸 Improved CLI behavior: JSON output can be redirected (--output) logs stay in stderr / file quiet mode without breaking the contract Why this matters: - The tool is no longer just "a set of checks". - It now behaves like a data producer with a stable contract, which makes it usable in: CI/CD pipelines automation workflows scheduled health checks Instead of parsing logs, external systems can rely on: - structured JSON - deterministic exit codes Next focus: - contract tests in CI - secrets hygiene (env-based + masking) - smoke e2e runs Still a work in progress - but the project is starting to look less like a script and more like a system component. https://lnkd.in/eJURQX_X #DevOps #Python #Linux #SRE #Automation #LearningInPublic #SysGuard

Claude Code is not ONLY for programmers... I have used it to do DevOps type of things fixing vulnerabilities... and tonight I pushed it to do more, and it did surprisingly well... I don't think I would be able to accomplish below in one night without agents: - create a podman machine and a kind k8s cluster. - (this step is relatively straightforward) - install and config cert-manager operator to provide TLS - a more realistic production-grade lab environment - install and config Prometheus, Grafana stack - install and config cockroachDB, the PostgreSQL on steroid - the DB that won't die  - access all these from local laptop to these resources running in a k8s cluster within the laptop - automated the lab shutdown and restart - tested working! - capture all the learning into documentation - there were quite some gotchas could easily put me up for many whole-nighters. - create a skill so that Claude Code could help me to recreate the whole lab automatically, or perform some tasks, or troubleshooting if needed, in the future wow, amazing agents could really amplify every one of us and make the impossible possible, if you give them a chance...   CHEERS #claudecode #podman #kind #k8s #cockroachdb

Watching the Anthropic GitHub situation unfold recently was a sobering moment for anyone running an engineering team. A minor misconfiguration leaked some internal code. To contain it, an automated DMCA script was deployed. But the script couldn't distinguish between the leaked secret and legitimate developer forks. Thousands of innocent projects got caught in the crossfire before the manual "undo" button was hit. It highlights a tension we are all dealing with: the speed of automation versus the nuance of human judgment. We are building incredibly fast automated defenses to protect our perimeters. But when those scripts are given the authority to execute, like issuing a takedown, without a human circuit breaker, the blast radius is entirely unpredictable. If a critical alert goes off in your infrastructure today, how much autonomy does your containment script have? #CTO #Security #DevOps

If you can run `kubectl get secret`, you can read every password in your cluster. Most engineers running Kubernetes in production don't realize this. Everyone assumes: "K8s Secrets are encrypted." Reality: They're base64. One command and your DB password is in cleartext. Pattern I see again and again — the same 4 mistakes: 1. Secrets committed straight into Git 2. EncryptionConfiguration never turned on (it's OFF by default) 3. RBAC assumed to be "tight enough" 4. No external secret manager in sight It feels secure. Until someone actually tests it. I broke down the proof, the 3 myths every team still believes, the honest ConfigMap vs Secret comparison, and the 5-step fix in the carousel below 👇 Slide 3 is the one most engineers screenshot. Honest question -> which fix is highest priority for your team right now? 1, 2, 3, 4, or 5? Base64 is encoding. Not security. Treat every Kubernetes Secret as plaintext until you can prove otherwise. Most clusters can't. #Kubernetes #DevOps #PlatformEngineering

I just open-sourced a small repo for a problem I think more teams need to take seriously: after a high-profile tooling incident, the real risk is not just the vendor mistake; it is what happens next on developer machines. People get curious. They search for “leaked” source. They clone the wrong repo. They download the wrong binary. They weaken local guardrails to “just test something.” And suddenly the problem is no longer theoretical; it is sitting on a workstation with real credentials, real access, and real repos. If you are using agentic dev tools, or if your team moved quickly during the recent Claude Code scare, it is worth checking your systems now; not later. Open source repo is here: https://lnkd.in/gwyx9AY9 #CyberSecurity #AppSec #DevSecOps #IncidentResponse #DFIR #SupplyChainSecurity #OpenSource #Python #DeveloperTools #ClaudeCode

Empire 6.6.0 sponsors early access is live. This is one of the biggest releases we've shipped. A new C agent, BOFs, and ATT&CK gap-filling modules, and serious performance work under the hood. C agent (Cpire) • A new lightweight C agent with full staging, encrypted communications, and task execution. Shell, PowerShell, C#, BOFs, upload/download, and directory listing. 8 new BOF modules • unhook — refresh DLLs to strip EDR/AV API hooks • patchit — all-in-one AMSI + ETW patch/check/revert • inject_amsi_bypass / inject_etw_bypass — remote-process bypass via syscalls • credman — Credential Manager dump via SeTrustedCredManAccess • handlekatz — handle-duplication LSASS dump • bofroast — Kerberoasting without .NET CLR dependency • nanodump — LSASS minidump via multiple evasion techniques (handle dup, process fork, snapshot, seclogon leak) 49 new modules (32 PowerShell, 17 Python) • Built against Atomic Red Team to close ATT&CK coverage gaps: credential access, defense evasion, persistence, lateral movement, proxy execution (mshta, CHM, CMSTP, InstallUtil, regasm, msiexec, rundll32, regsvr32), VM detection, BITS jobs, browser cookie theft, and more. Scales cleanly under concurrent load • Resolved DB pool exhaustion, unblocked the event loop across all 216 API endpoints, and isolated donut shellcode generation per-call to fix concurrency-driven failures. Hardened obfuscation pipeline • The Invoke-Obfuscation subprocess now runs with a configurable timeout, process group isolation, return-code checking, and graceful fallback to keyword obfuscation on failure. Eliminated double-obfuscation that was spawning a redundant PowerShell subprocess per task. Plus roughly 20 more fixes across modules, agents, and core. Sponsors get early access first; public release next month. Thanks to everyone supporting the project; your support is why these releases keep getting bigger. #redteam #offsec #infosec #adversaryemulation #empire https://lnkd.in/gRSvmRQ

The EU CRA assumes product developers can keep up with vulnerability reporting and mitigation. That assumption is about to break. Let me explain: Just last week, Anthropic researcher Nicholas Carlini demoed Claude Opus 4.6 autonomously discovering zero-day vulnerabilities in production systems - a blind SQL injection in Ghost CMS (50k stars on GitHub, never had a critical vulnerability before) and a heap buffer overflow in the Linux kernel's NFSv4 daemon that had been sitting there since 2003. These aren't toy demos. These are real vulnerabilities in battle-tested code that sits at the core of products being built today. Now imagine thousands of AI agents scanning every library, every dependency, continuously. We're heading toward a world where the rate of vulnerability discovery completely outpaces anyone's ability to respond. When you layer the EU CRA on top of that, product developers are going to find themselves in a brutal position - reporting new vulnerabilities within 24 hours, full notifications within 72 hours, and mitigating across a dependency tree they don't fully control. Potentially on a daily basis. This raises two questions I think we need to take seriously as an industry: 1. Are regulations that focus on reporting and patching actually sufficient? When the pace of discovery outpaces any team's ability to fix, the game changes. We need to talk about resilience - not just in design, but layering controls that assume vulnerabilities exist and contain their impact. Chasing an endless stream of patches isn't a strategy, it's a treadmill. 2. What does this mean for the future of open source? Every modern product is built on a deep stack of open source dependencies. Finding vulnerabilities in them is about to become exponentially easier than patching them. Under CRA, product companies are on the hook to fix what's found - but the maintainers they depend on aren't getting resourced to keep up.

𝗪𝗲𝗮𝗽𝗼𝗻𝗶𝘇𝗶𝗻𝗴 𝗔𝗿𝗴𝗼𝗖𝗗 𝗔𝗽𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗰𝗿𝗲𝗮𝘁𝗲 on 𝗮𝗽𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀.𝗮𝗿𝗴𝗼𝗽𝗿𝗼𝗷.𝗶𝗼 is enough to deploy privileged workloads cluster-wide without ever touching pod creation RBAC. ArgoCD's own service account does the work. The attacker just points it at a repo they control. 𝘀𝗲𝗹𝗳𝗛𝗲𝗮𝗹: 𝘁𝗿𝘂𝗲 handles persistence. Delete the DaemonSet, ArgoCD brings it back. The only fix requires more access than the attacker ever needed. 𝗟𝗶𝗻𝗸: https://lnkd.in/gZhYNAME #Kubernetes #K8s #CloudNativeSecurity #KubernetesSecurity #RBAC #Offensive #ThreatDetection

🔐 Excited to share our CA2 Project for CSE-316 (Operating Systems) at Lovely Professional University! 🚀 Project Title: User-Friendly System Call Interface for Enhanced Security We built SecureOS v2.0 — a Python + Streamlit based application that simulates how an Operating System controls and secures system calls like read, write, delete, kill & shutdown through a multi-layered security pipeline. 🛡️ What our project does: ✅ Role-Based Access Control (USER / ADMIN / SYSTEM) ✅ Multi-level Trust Hierarchy (Low → Critical) ✅ Authentication with Account Lockout (3 failed attempts = locked) ✅ 7-Layer Policy Engine (deny list, allow list, time restrictions & more) ✅ Real-time Audit Logging of every system call request ✅ Intuitive Streamlit UI — no HTML or JS needed! 🧠 Concepts Applied: → OS-level system calls & access control → RBAC (Role-Based Access Control) → Security policies similar to SELinux & AppArmor → Audit trails & event logging 💻 Tech Stack: Python | Streamlit | GitHub 📽️ Watch the full demo here 👇 https://lnkd.in/ddvDZ_a9 💻 Source Code on GitHub 👇 https://lnkd.in/dFE5hHkS Huge shoutout to my amazing teammates @Manmohan and @Aagat for making this happen! 🙌 Special thanks to our professor @Isha for the guidance and support throughout this project! 🙏 #CSE316 #OperatingSystems #Python #Streamlit #ChandigarhUniversity #SecureOS #SystemCalls #RBAC #CyberSecurity #OpenSource #GitHub #StudentProject #ComputerScience #OS #Programming #TechProjects #CA2Project #CloudComputing #AccessControl #Python3

🚀 𝗜𝗻𝘁𝗿𝗼𝗱𝘂𝗰𝗶𝗻𝗴 𝗗𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝗰𝘆 𝗔𝘂𝗱𝗶𝘁 𝗼𝗻 𝗡𝘂𝗕𝗿𝗼𝘄𝘀𝗲.𝗰𝗼𝗺 The 𝗡𝘂𝗕𝗿𝗼𝘄𝘀𝗲 𝗣𝗮𝗰𝗸𝗮𝗴𝗲 𝗔𝗻𝗮𝗹𝘆𝘇𝗲𝗿 has evolved. What started as a simple update-status checker is now a full 𝗗𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝗰𝘆 𝗔𝘂𝗱𝗶𝘁 designed to give developers a clearer picture of their project's dependency health - in seconds. Dependency Audit now analyzes: • Package Version update state • License compatibility • Known vulnerabilities • Deprecations • Package version health indicators And most importantly: It calculates a 𝘀𝗶𝗻𝗴𝗹𝗲 𝘂𝗻𝗶𝗳𝗶𝗲𝗱 𝗱𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝗰𝘆 𝘀𝗰𝗼𝗿𝗲 that reflects the overall health of your project's dependency stack. The idea originally came from a suggestion after I introduced the 𝗣𝗮𝗰𝗸𝗮𝗴𝗲 𝗛𝗲𝗮𝗹𝘁𝗵 𝗜𝗻𝗱𝗶𝗰𝗮𝘁𝗼𝗿 last week - thanks again, Volker Holz. I took the weekend to rebuild the analyzer around that concept. The result: a faster way to understand dependency risk across your entire project at a glance. Try it here: ▶ https://lnkd.in/d6m8Ute6 I'd love to hear what you think and what features you'd like to see next. #dotnet #nuget #NuBrowse #package #opensource #BENABT