Technical Writing
Tech Blog
Cloud security, identity, infrastructure, and research. Deep dives, tools, and practical guidance.
Allow One, Allow All: When Conditional Access Loses the Plot
Conditional Access is often treated as a fine-grained policy engine, but recent platform design choices show that many modern Microsoft workloads collapse behind shared identities and brokers. When Dev Box, AVD, and Windows 365 all authenticate through the same app, ‘allow one’ can quietly become ‘allow all’.
OID-See: Giving Your OAuth Apps the Side-Eye
OID-See or BloodHound for OAuth in Entra: mapping consent, scopes, assignments, and trust signals into a graph so you can spot impersonation risk and OAuth sprawl.
Silent Drip: When Sync Becomes a Slow Leak
An investigation into plaintext persistence and invisible data propagation through Microsoft Edge Drop.
The Unseen Variable: Identity, Agentic AI and the Path of Least Resistance
The Unseen Variable: Identity, Agentic AI and the Path of Least Resistance Every few years the industry rediscovers a truth that has always been hiding in plain sight. We rename it, formalise it, and publish new …
GCP Professional Cloud Security Engineer: 2025 Study Resources Update
Updated resources, exam lessons, and study guidance for the GCP Professional Cloud Security Engineer certification in 2025
SPADE: Side-channel Platform Abuse and Data Exfiltration
SPADE describes how adversaries can abuse trusted SaaS-hosted runtimes like Google Colab to exfiltrate data and evade CASB, EDR, and proxy controls - bypassing enterprise defenses via unexpected channels.