If you don't control your AI agents, your agents control you :-)

Anthropic Mythos and its ability to find new vulnerabilities got a lot of buzz... A great way to counter it is to reduce the attack surface removing the software components you don't need, so Mythos can't find zero day vulnerabilities in them. Can't exploit what's not there 🙂

Nice to be able to compare the reverse engineered version of Claude Code with the original source code version 🙂

Kubescape Nodeagent Dungeon (course) | iximiuz Labs A detailed walkthrough of Kubescape Nodeagent, observing a fileless (pseudo) attack all the way from the Kernel to the Alert.

And you can also go through the "Kubescape NodeAgent Dungeon" hands-on course by Constanze (one of the speakers) on Iximiuz Labs (already available, by the way :-)) labs.iximiuz.com/courses/node...

KubeCon + CloudNativeCon Europe 2026: 📚 Tutorial: Attack Defense: Leverage eBP... View more about this event at KubeCon + CloudNativeCon Europe 2026

Here's the session info kccnceu2026.sched.com/event/2CW07

If you are in Amsterdam for KubeCon this session on Tuesday will be great to see AND it's powered by Ivan's Iximiuz Labs!

So...when is it? It's happening after KubeCon in Amsterdam wraps up :-)

Some of the additional questions we'll cover: What packages can I use? What if there's no package to install? How to build packages from source?

GitHub - chainguard-images/images: Public Chainguard Images Public Chainguard Images. Contribute to chainguard-images/images development by creating an account on GitHub.

We'll also try to build the images from the official repo (migrating to Terraform and removing its apko.yaml files caused a bit of confusing) github.com/chainguard-i...

GitHub - rtvkiz/minimal: Minimal CVE Hardened container image collection Minimal CVE Hardened container image collection. Contribute to rtvkiz/minimal development by creating an account on GitHub.

This is the "minimal" project we'll be exploring (with the project creator himself!) github.com/rtvkiz/minimal

That's the question Ritvik also had and it was the origin of his "minimal" project. We'll learn how he did it and how you can do it too.

This week was a pretty cool Chainguard Assemble event and it was a great reminder that you can't have good Dockerfiles without good base images! But can you "assemble" your own Wolfi-based base container images?

And just like with any great recipe you need the best possible ingredients... A very detailed call graph is that key and foundational ingredient when it comes to full stack reachability!

That's better than nothing, of course, but it won't be full stack because the data needs to be interconnected. It also needs to be built around the application structure and data flows. And if the quality of the application code analysis is low then the rest of it isn't going to be great either.

Adding a bit more context to the last post... Full stack reachability isn't just a collection of data from different tools dumped into one place (looking at you ASPM :-))

That's why reachability is more important than ever in your battle against vulnerabilities, but it needs to cover the entire iceberg (the app code, the containers delivering the apps and the environment where the app is running). You need full stack reachability.

The AI code tsunami is already here... The software iceberg you are shipping to prod is becoming 10x bigger. And like with regular icebergs you don't see and don't know the biggest and the most dangerous part of it.

How Container Images Actually Work: Layers, Configs, Manifests, Indexes, and More | iximiuz Labs A practical deep dive into container image internals that will help you build a clear mental model of how images are composed, identified, stored, and distributed across registries.

and here's the tutorial itself labs.iximiuz.com/tutorials/co...

The best tutorial out there (and i've seen all of them :-)) if you are interested in understanding the container image internals (and with awesome diagrams, as usual, that makes the tutorial 10x better):

"How Container Images Actually Work: Layers, Configs, Manifests, Indexes, and More"

The vendors are not willing to invest into making the products better because the major competitors are doing the same thing. Gotta love status quo 🙂

Having a good vulnerability scanner / SBOM generator that produces complete and accurate results AND that's not brittle when it comes to obfuscation and evasion is significantly harder than what the vendors are doing now (but still doable).

Are you a full Nix convert :) What would you say to the container users thinking about trying Nix

Good news... AWS EC2 VMs finally support nested virtualization, which is great for AI sandboxing that uses microVMs like Firecracker (no need for super expensive bare metal instances). Bad news... It's only for the C8i, M8i and R8i EC2 instance types.

So many SomethingSomethingClaw projects and products everywhere 🙂

First time going to Bsides Seattle or any other Bsides! Already got pretty good interest and great questions about the talk on day 1 🙂

GitHub - GoogleCloudPlatform/cloud-run-sandbox: On demand code execution sandboxes on top of Google Cloud Run On demand code execution sandboxes on top of Google Cloud Run - GoogleCloudPlatform/cloud-run-sandbox

And now Google is getting into AI sandboxes reusing and rebranding their existing code execution tech 🙂 github.com/GoogleCloudP...

Quentin Deslandes will speak on 'bpfilter: an eBPF-based firewall for fast packets filtering!' as part of our Kernel & Low Level Systems track at SCaLE 23x. Full details: www.socallinuxexpo.o...

Docker sandboxes now appear to use micro-VMs... Now it's getting interesting :-)

Looks like the hidden TeammateTool in Claude Code is getting a lot of interest... The version I reversed engineered, 2.1.9, unfortunately doesn't have it, but now there's a reason to do it again 🙂