Infrastructure Security
In-depth guides and analysis on infrastructure security from the Safeguard engineering team.
52 articles
Applying CIS Benchmarks to cloud infrastructure
CIS Benchmarks turn "be secure" into testable checks for AWS, Azure, and GCP — here's how to move from annual audit to continuous enforcement.
Applying least privilege IAM in cloud-native environments
Least privilege IAM fails in practice because permissions are granted for convenience and rarely revoked. Here's how to fix that at cloud scale.
Securing managed Kubernetes clusters with IaC scanning
IaC scanning catches Kubernetes RBAC, network, and IAM misconfigurations in Terraform and Helm before they ever reach EKS, GKE, or AKS clusters.
Comparing Terraform security scanners: Snyk IaC, Checkov, tfsec
Snyk IaC, Checkov, and tfsec take different approaches to Terraform scanning — and one of them stopped getting new checks in 2023. Here's how they actually compare.
The cost of cloud misconfiguration breaches
New breach-cost data shows cloud misconfigurations now cost millions per incident and take months to detect — here's what's driving the trend and how to close the gap.
When the Cloud Pulls the Plug: The GCP Account Suspension That Took Railway Down (May 19, 2026)
On May 19, 2026, Google Cloud automatically suspended Railway's production account, taking down a platform fronting roughly 10 million services for about eight hours. The root cause was not a breach but a control-plane dependency and a provider action with no human in the loop.
When DNSSEC Goes Wrong: The .de TLD Signing Failure That Took Down German Domains (May 5, 2026)
On May 5, 2026, DENIC published unvalidatable DNSSEC signatures for the .de zone after a deployment defect made its signer generate three key pairs instead of one. Validating resolvers worldwide, including Cloudflare's 1.1.1.1, were forced to return SERVFAIL.
Iran-Linked Actors Are Disrupting U.S. Water and Energy PLCs: Inside CISA/FBI Advisory AA26-097A (2026)
A joint FBI, CISA, NSA, EPA, DOE and Cyber Command advisory (AA26-097A, April 2026) warns that Iranian-affiliated actors are now causing operational disruption to internet-exposed PLCs across U.S. water, energy, and government facilities. Through May 2026 it is the defining OT threat. We unpack the campaign and the defense.
Snyk and HashiCorp Terraform Cloud partnership
Snyk's HashiCorp Terraform Cloud integration gates IaC risk at plan time — here's what it covers, what it misses, and how reachability closes the gap.
What is Infrastructure as Code (IaC)
IaC turns infrastructure into versioned code, but one bad Terraform default can replicate a security hole across every environment it touches.
What is IaC Security
IaC security scans Terraform, CloudFormation, and Kubernetes code before deployment—catching misconfigurations before they become breaches.
What is Terraform Security
Terraform security means finding and fixing risks in IaC code, state files, and providers before they become live cloud misconfigurations.