Haggai Philip zagury

An unsigned image or signed & never verified have the same security posture. Part 4 of the series is up: how to wire cosign verify into CI, enforce it at admission with policy-controller, and digest-pin via Renovate. 🔗 bit.ly/4tm5SVa #DevSecOps #Sigstore #Kubernetes

Epilogue to 7-part Zero Trust series: Not "how do I reach my service?" — but "how does my service reach the internet without opening a port?" ngrok, Cloudflare Tunnel, Tailscale Funnel, frp. Which are production. Companion k3d lab with all three. hagzag23.medium.com/the-reverse-tu…

Your CI image is a signed binary you run on every merge. Is it signed? Does it have an SBOM? Does it fail on high CVEs? Part 3 of the compliance rebuild series: Wolfi + syft + grype + cosign, wired into one Taskfile. 🔗 medium.com/israeli-tech-r… #DevSecOps #Wolfi

Most CVEs in your images aren't newly disclosed — they're stale packages Wolfi+daily rebuilds flips that. Part 2 of the compliance rebuild series is up: the fully open-source path, what the commercial tier adds, and how we eval it. 🔗 bit.ly/4vSUmCR #DevSecOps #FedRAMP

We trusted the wire. Then the VPN. Then the firewall. All of it cracked. I wrote a 7-part series tracing the full evolution — from telnet to Zero Trust: @hagzag23/list/the-road-2-zerotrust-36a1e3fef3bf" target="_blank" rel="nofollow noopener">medium.com/@hagzag23/list… #ZeroTrust #DevOps #CloudSecurity #PlatformEngineering

Two open-source drops this week: MiniMax M2.7 (56% SWE-Pro, self-evolving) + Gemma 4 (Apache 2.0, 26B MoE on 8GB RAM). The laptop is now a viable inference target, New post: Ollama on k3d when to reach for a VPS instead. medium.com/israeli-tech-r… #AgentCostWars #LocalAI #Ollama

Part 2: I want a personal agent. I'm not running one yet. Sandboxing, alternatives I'm testing, prompt injection as a design constraint, and the pre-flight checklist. → medium.com/israeli-tech-r…

March 2026 was the worst month autonomous AI agents have had. ClawJacked, 9 OpenClaw CVEs in 4 days, the Axios npm RAT, and the Claude Code source map leak — all in one window. I wrote a 2-part field report for fellow DevOps practitioners.

Part 1: ClawJacked, Axios, and the Autonomous Agent Problem. A timeline of what happened and why autonomous agents amplify supply chain attacks into full compromise handoffs -> medium.com/israeli-tech-r…

Karpathy quietly dropped LLM Wiki: 3 folders (raw/wiki/output) + a coding agent = RAG pipeline deleted. No vector DB, no embeddings. Just text that compounds. 5k stars in 2 days. This is it. 🧵 medium.com/israeli-tech-r… #AgenticAI #DevOps

קוד שזלג / תרגיל שיווקי גאוני 🤷‍♂️ ... ⁉️ leaked code / genius marketing trick ⁉️ dev.to/gabrielanhaia/…

After years of consulting I realized: silence isn't humility—it's negligence. Your clients hired your eyes, not just your hands. If you see a bug in the org's logic and say nothing, the system stays broken. New post on the outsider's mirror 👇 medium.com/israeli-tech-r…

שאלתי את עצמי שנים ״למה אני לא מצטרף לחברת מוצר״? או ״למה אני עובד בחברת ייעוץ / Consultancy Agency״? - במילה 1 רזולוציה הנה כמה פריימים מהפודקאסט האחרון בנושא platform engineering ואיך הוא מעצב / משתנה בעידן ה A.I ובינתיים הפודקאסט -> open.spotify.com/show/1V7AwfjNg…

I called M2.5 a disruption 6 weeks ago. GLM-5, M2.7, and Gemini 3.1 Pro just made it more complicated. Intelligence is converging. Price is diverging. The leaderboard will look different in another 6 weeks. → medium.com/israeli-tech-r… #DevOps #AgenticAI

MiniMax M2.5: 230B params, 4% activated per token, 80% SWE-bench, ~$1,892/year to run 24/7. The always-on agent is no longer a budget conversation. New post: what this means for platform teams 👇 bit.ly/4dAe6EA #AgenticAI #DevOps

Followup from yesterdays post: if you're using one CMK for everything in production, your blast radius is your entire infrastructure. Per-service keys, aliases for rotation, encryption context for binding bit.ly/4cZbFv8 #AWS #KMS #DevOps

When your AWS org hits 10+ accounts with compliance requirements, IAM Identity Center isn't enough. New post on using AWS LZA to build governed multi-account environments with TGW isolation — all driven by YAML configs. medium.com/israeli-tech-r… 🤓 #AWS #DevOps #LZA

Every week brings a new AI coding tool. More subscriptions, more context switching, less shipping. The fix? A focused 3-pillar stack! 🧠 Foundational Engine (design/research) 🚀 In-IDE Workhorse (velocity) 🔗 Project Agent (multi-file refactoring) hagzag23.medium.com/ai-chaos-and-p…

No slides, no pitches—just honest peer-to-peer conversation. Exactly how it should be, if you're tackling these challenges, I'd love to hear your approach in the comments 🤠

→ What are the hidden costs—the learning curve, accuracy validation, tooling overhead? → How do you enable entire teams (not just a few talented individuals) to adopt AI effectively? → What guardrails do you have in place for AI-assisted development?