BPF-based runtime policy enforcement
eBPF programs as in-kernel policy decision points: drop traffic that doesn't carry a signed identity, block syscalls outside a workload's allowlist, and emit audit events without sidecars.
Secret-zero distribution
How do you bootstrap trust into a fresh workload without hard-coding a credential? Notes on SPIFFE/SPIRE, AWS workload identity, and short-lived attestation flows that make the first secret unnecessary.
SLSA + data lineage as one graph
Provenance for code (SLSA) and provenance for data (column-level lineage) are the same shape. A unified graph would let a security review and a data audit answer the same questions from the same source.
Iceberg manifest analysis
Deep-diving into Apache Iceberg's metadata structures. Understanding how table evolution affects query performance — and how snapshot expiry policies double as a data-retention control.
Block-based abstractions over DB / files / objects
Unified storage interfaces across databases, filesystems, and object stores. Can we abstract storage without sacrificing the locality and audit primitives each substrate provides?