Notes

Written technical positions

How we think about the work — judge the engineering before you ever talk to us.

• Comparison

  CSPM severity vs attack-path prioritization

  Why a flat CVSS/CSPM severity list buries the findings that can actually breach you, and how to re-rank by reachability and blast radius.

• Comparison

  AI governance SaaS vs policy-as-code you own

  The difference between a dashboard that watches your AI usage and policy-as-code that refuses it — and why only the second survives you cancelling the subscription.

• A landing zone you can’t apply yourself is just someone else’s repo

  The test of a cloud foundation isn’t the architecture diagram — it’s whether your own team can vend account 51 from the repo without calling anyone.

• Ship the code, not the slide deck

  Why an infrastructure engagement should end in something that compiles and runs in your account — and why a recommendation-to-build quietly offloads the hard part back onto you.