TECHNICAL_ARCHIVE
Rethinking Identity for Agentic Systems
The mental model I use to reason about identity controls across the originating principal, the agent, and the infrastructure running it.
Streamline Policy Documentation with Automation and AI
Policy documentation goes stale the moment someone edits a rule in the admin console. I built a pipeline that pulls policies straight from Okta's API, renders them as Mermaid diagrams, and lets me query the whole thing in plain English — full walkthrough, code included.
Okta Policies: Best Practices for Secure Access Controls
Configuring Okta policies isn't a setup task you do once and forget — it's the actual control surface between an attacker with a stolen password and an attacker with access to your systems. Here's what I check when hardening a tenant, end to end.
Introduction to Okta Policies
Okta Policies aren't just another configuration screen — they're the foundation of identity and access management in the Okta ecosystem. First in a short series on how they're structured and how they actually get evaluated.
Quantum Computing: The Next Frontier in Cybersecurity
Shor's algorithm doesn't threaten AES the way people assume — it threatens the key exchange and signatures wrapped around it. What's actually at risk, what NIST has already standardized, and how to check if your own stack has a post-quantum-safe cipher suite available yet.
What's Actually in My Security Backpack
The tools I carry matter less than the skills that decide which tool to reach for. A rundown of what's actually in rotation: risk assessment, networking, CLI fluency, automation, incident response, and the two soft skills that tie it together.
Nobody Reads a Vulnerability List — They Read the Story Behind It
A pentest report full of CVSS scores doesn't get prioritized. A five-sentence walkthrough of how an attacker chains three of those findings into data access does. Notes on turning a findings list into something that actually drives a decision.
The IAM Automation That Actually Matters: Deprovisioning
Provisioning automation gets all the demo attention. Deprovisioning is the one that actually closes the risk window, and it's the one most orgs still do by hand or not at all.
The Spaghetti Access Matrix: Identity Discovery, Then and Now
If you don't know an access path exists, you can't secure it. Notes from a real discovery engagement on mapping identity providers, shadow access paths, and the account lifecycle gaps nobody had documented — plus how I'd run this differently with autonomous agents in the mix.
MFA Fatigue: How to Protect Your Users
An attacker who already has a stolen password doesn't need to crack anything else — they just need to send enough push notifications until someone taps approve to make it stop. No single control fully closes that off, which is why this has to be layered, not a single fix.