Back to Basics: TLS and PKI from the Ground Up

This is the third article in my “Back to Basics” series. The goal is simple: take something modern engineers interact with daily through abstractions, and explain what is actually happening underneath. In the first article, I hardened an SSH daemon and explained why the defaults are insecure. In the second, I showed that containers are ordinary Linux processes wrapped in namespaces and cgroups. This article applies the same approach to TLS: strip away the abstractions, read the raw structures, and understand what the tooling is doing on your behalf. ...

June 29, 2026 · 16 min · 3263 words · Matteo Bisi

In 2026 I Am Still Asked Why You Need a Hardened Container Image Catalog

It’s 2026 and I still receive questions from customers and colleagues about why they should adopt a hardened container image catalog, why it matters, and how to justify the investment internally. I hear it from security engineers, from architects, from technical leads at companies that are otherwise doing serious work on their security posture. The honest answer is short: European regulations like DORA and NIS2 require it, and from a purely technological standpoint it is the logical evolution of how we have always managed infrastructure. Both arguments stand independently. Together they leave no room for debate. ...

June 24, 2026 · 9 min · 1727 words · Matteo Bisi

Cloud Native Days Italy 2026: A Wrap-Up from Bologna

Bologna, May 18-19: The Fifth Edition Bologna, May 18-19, 2026. The fifth edition of Cloud Native Days Italy is behind us, and I’m still riding the wave of energy it left behind. Writing this post as one of the organizers feels different from a regular conference recap. Seeing something you worked on for months actually land — with real people in real rooms — is hard to describe briefly. If you want to read how the journey to this edition started, I covered it in an earlier post. ...

May 22, 2026 · 4 min · 761 words · Matteo Bisi

SentinelOne Purple MCP: A Hands-On Guide to Singularity AI Integration

Every technical support team I have worked with shares the same friction point: an analyst keeps four tabs open simultaneously (the EDR console, a ticketing system, an asset CMDB, and a query window) and spends a sizeable chunk of their shift copy-pasting IDs between them. The intelligence exists. The problem is getting it out fast enough. The Model Context Protocol (MCP) is the most credible attempt I have seen yet to reduce that cost. It is a small, open specification for letting LLM-driven assistants invoke external tools in a typed, structured way: a server exposes a catalogue of tools with JSON Schema input contracts, and any MCP-aware client (Claude Desktop, Claude Code, Zed, or your own automation) can call them without writing any glue code. One server definition, every compatible client for free. ...

May 11, 2026 · 11 min · 2264 words · Matteo Bisi

CVE-2026-31431 Copy Fail: A Nine-Year-Old Kernel Bug, a 732-Byte Script, and a Root Shell

On April 29, 2026, CVE-2026-31431 was publicly disclosed. Nicknamed “Copy Fail”, it is a local privilege escalation in the Linux kernel with a CVSS score of 7.8, present in every major distribution running kernel 4.13 or later: Ubuntu, RHEL, Amazon Linux, SUSE, Rocky Linux. What makes it stand out from most CVEs in this class is how little an attacker needs: a 732-byte Python script, standard library only, no compilation, no race conditions, no kernel offsets. First try, every time. ...

May 1, 2026 · 7 min · 1393 words · Matteo Bisi

Ubuntu 26.04 LTS: What Changes for Security and Container Workloads

Ubuntu 26.04 LTS (“Resolute Raccoon”) shipped on April 24, 2026. Most of the coverage has focused on the desktop and the new Security Center UI, but I work almost exclusively on the server and infrastructure side, so I want to look at what actually matters for the teams I work with: those running Ubuntu Server as a base for VMs, bare-metal nodes, Kubernetes workers, and golden master images. My customers are split between RHEL and Ubuntu. The ones on Ubuntu are typically on 22.04 (few) or 24.04 LTS (most). The question I always get after a new LTS is the same: “Do we need to move now, or can we sit on the current version for another year?” This post is my attempt to give a structured answer, focused on security and container workloads, which is where I can actually add value. ...

April 30, 2026 · 7 min · 1342 words · Matteo Bisi

Kubernetes 1.36: The Release That Said Goodbye to Ingress NGINX

Introduction Tomorrow, April 22, 2026, Kubernetes 1.36 will be officially released. As a team leader working in security, part of my job is reading release notes to understand what is coming and, more importantly, to track the direction the developers are moving in. Some releases are routine progress; others signal a shift in priorities. This is one of those. Kubernetes 1.36 will be remembered as the release that formalized the end of Ingress NGINX. That alone would make it memorable; Ingress NGINX is too big and too deeply embedded in the ecosystem to ignore, and I will dedicate a section to it. But the focus of this post is security: alongside the NGINX retirement, 1.36 delivers meaningful hardening through the graduation of user namespace isolation to GA, faster SELinux volume labeling reaching GA, the stable release of external ServiceAccount token signing, and the permanent removal of features that have been known security liabilities for years. ...

April 21, 2026 · 9 min · 1756 words · Matteo Bisi

Linux 7.0: What Platform and Security Leaders Should Know

Every few kernel cycles, a release quietly shifts what is possible for the platforms running on top of it. Linux 7.0 is one of those releases. There is no single flashy new security module, no headline-grabbing feature, but there are several changes that collectively improve weak seams that cloud-native security teams have been working around for years. Before this release reached mainstream distributions, I spent a good hour working through the upstream changelog with GitHub Copilot, running multiple state-of-the-art models, cross-referencing commit messages, kernel documentation, and coverage from the broader community, and iterating until the picture was clear. ...

April 16, 2026 · 8 min · 1675 words · Matteo Bisi

KubeCon EU 2026: Community, Connections, and a New Hat

As usual after KubeCon, I went offline for a few days to recharge. After an intense week like that, it’s not optional; it’s survival. Four in a Row KubeCon EU 2026 Amsterdam delivered, as it always does. This was my fourth consecutive KubeCon (something that still feels surreal when I think about it). None of this would have been possible without the support of SIGHUP and ReeVo, who have consistently believed in the value of being present and active in this community. Genuine gratitude goes to both of them. ...

March 30, 2026 · 3 min · 492 words · Matteo Bisi

The Trivy Supply Chain Attack: A Breakdown of Credential Theft and the CanisterWorm Escalation

Introduction Trivy, the widely adopted open-source security scanner from Aqua Security, is a cornerstone of modern CI/CD pipelines and container security. With over 33,000 stars on GitHub as of March 2026, its footprint spans across Docker images, Homebrew, and countless developer machines. This ubiquity, however, made the supply-chain compromise discovered between March 19–21, 2026, particularly devastating. The incident was not a single point of failure but a multi-stage attack involving malicious releases, manipulated GitHub Actions, and a self-propagating worm that leveraged decentralized infrastructure. ...

March 21, 2026 · 4 min · 736 words · Matteo Bisi