CCDE Reading List
One of the most common questions I get from CCDE candidates is: “What should I read?” and “Where should I start?” This post is the CCDE reading list I actually…
The post CCDE Reading List appeared first on JTnetwork.io.
Build your own vulnerability harness
A few weeks ago, we published our initial findings from Project Glasswing, looking at what happens when you point frontier security models at an enterprise codebase. We also explored how our defensive structures adapt to protect our infrastructure and customers from threats posed by frontier AI. Since then, the AI ecosystem has continued to shift rapidly — developers who've built tightly around a single model have already experienced what happens when that model is no longer available or gets superseded by a more capable one. These market shifts only reinforce our core thesis: no matter which underlying model is leading the pack on any given day, the future of agentic workflows will not be found in standalone models, prompts, or single-agent sessions.
Moving from a localized security "skill" to a continuous, fleet-wide scanning pipeline requires an architecture where models are treated as interchangeable components. Relying on a single model inherently limits defensive coverage, as the same system will tend to look at code paths through the exact same lens. To counter this, models should be frequently interchanged and cross-tested. By varying the models across the pipeline — such as using one model for initial discovery and an entirely different Continue reading
Celebrating 12 years of Project Galileo
Twelve years ago this month, Cloudflare launched an ambitious project built on a simple idea: people shouldn’t be knocked offline just because someone more powerful disagrees with them. Today, Project Galileo provides free access to cybersecurity services to more than 3,400 websites belonging to journalists, human rights defenders, and other nonprofit organizations in 120 countries. We continue to believe that a better Internet is one where anyone with an idea can reach a global audience.
Each year on the anniversary of Project Galileo, we announce new products, programs, and strategic partnerships. To celebrate our 12th anniversary this year, we’re publishing our first comprehensive report on cyberattacks targeting civil society, releasing case studies that explore the security needs of 16 Project Galileo participants, and announcing new project partners.
Because Project Galileo now includes 3,400 domains belonging to organizations in over 120 countries, Cloudflare has access to unique data regarding the cyber threats, attacks, and trends targeting civil society — a critical pillar of global democracy. In addition, because the Cloudflare network spans more than 335 cities in 125 countries and more than 20% of the web sits behind it, Continue reading
Initial Setup of Catalyst SDWAN Controllers
It’s been a while since I did an on-premises installation of the Catalyst SDWAN controllers and as I recently had to go through the process, I thought I would document it and post it here for people that want to build their own lab.
The first thing that happens after booting the Manager is that you need to login with admin/admin and then set a new password:
vmanage login: Admin Password: Welcome to Viptela CLI admin connected from 127.0.0.1 using console on vmanage You must set an initial admin password different from default password. Password: Re-enter password:
After that we must select the persona (what services the Manager should run). For a non-cluster install it’s going to be both COMPUTE and DATA:
1) COMPUTE_AND_DATA 2) DATA 3) COMPUTE Select persona for vManage [1, 2 or 3]:
Select 1.
You will be asked to confirm:
You chose persona COMPUTE_AND_DATA (1) Are you sure? [y/n]
Type y.
You will then be asked what storage device to be used (you need a secondary disk):
vManage has been deployed with persona : {"persona": "COMPUTE_AND_DATA"}
Available storage devices:
sdb 100GB
1) sdb
Select storage device to use:
Here I’ll select 1.
Worth Reading: Extending a VLAN with Static VXLAN
Ali Bahadır Coşkun wrote a nice article describing how he mastered extending a VLAN with static VXLAN with the help of free netlab-powered VXLAN labs.
The same set of lab exercises includes six VXLAN labs, almost a dozen EVPN labs, and a few EVPN designs. I might add a lab or two during the summer break.
I fixed shell pipes
In a previous post I made pipes in unix shells more reliable. Well, it had some drawbacks. I’ll summarize the problem, the failed previous version, and then show the new and improved one.
Problem summary
Downstream processes in a unix shell pipe cannot know if the upstream finished successfully, or exited with an error. This means that it can’t know if it should “commit” the data it received.
Example uses:
$ pg_dumpall | xz -9 | google_cloud_storage_upload gs://bucket/path/postgres.dump
$ generate_data | psql --single-transaction
In both of these cases you want the right hand side to STOP, and not finalize the upload or commit the transaction.
The previous version
$ goodpipe <<EOF
[
["gsutil", "cat", "gs://example/input-unsorted.txt"],
["sort", "-S300M", "-n"],
["gzip", "-9"],
["gsutil", "cp", "-", "gs://example/input-sorted-numerically.txt.gz"]
]
EOF
This works fine for simple cases, but doesn’t support tee or per-command
environment variables very well.
And I don’t want to invent a complex language, so my replacement took a different path.
wp — Wrap Pipe
wp instead wraps the input and/or output with a very minimal encapsulating
protocol. This allows normal data to pass through, but still allows the
downstream to get EOF as metadata.
Architecting the Future: Unlocking Enterprise Data Services for Kubernetes
Join us to discover how to eliminate infrastructure silos and establish a standardized, enterprise-grade cloud-native platform.Bringing more agent harnesses and frameworks to Cloudflare, starting with Flue
2026 is the year agent harnesses go to production. The software that controls the model’s access to the outside world — harnesses like Codex, Claude Code, OpenCode, Pi, and Project Think — has matured to the point where teams are deploying agents as real, load-bearing infrastructure, not just prototypes.
But building agents that survive production is hard.
We learned this firsthand building Project Think as our first-party agent harness. In working with our customers to run agents in production, we found a common set of distributed systems problems that every agent faces when running in the cloud. When an agent is interrupted, how can it automatically and gracefully resume from where it left off, without losing context or wasting tokens? How can agents run untrusted code securely? How can agents use the tools they were trained for?
A harness can’t solve these problems on its own. They’re tied to state, storage and compute — which means they’re dependent on the platform the agent runs on. That’s why we’re taking our learnings from hardening Project Think for production and bringing them to the Cloudflare Agents SDK as a base layer. Durable execution, dynamic code execution, a durable filesystem and dynamic Continue reading
Why We Built Lynx: Bringing Control to the Age of AI Agents
For a decade, one idea has guided everything we’ve built at Tigera: How do you secure a dynamic system with a lot of moving parts that is changing rapidly, with a programmatic approach? Calico has applied that idea for Global 2000 companies running the largest Kubernetes platforms in the world, securing tens of millions of mission-critical transactions every day. Today I’m excited to announce the next chapter of that work: Lynx, a unified control plane for Kubernetes-native AI agents.
This enables us to apply our deep knowledge of Kubernetes, eBPF, and our expertise in building scalable and highly performant systems to solve the security challenges that come with deploying AI Agents. Before I explain how Lynx addresses these challenges, it’s worth being clear about why AI agents are so hard to secure in the first place.
AI agents broke the assumptions security stacks were built on
The enterprise security tooling most organizations run was designed for workloads that are deterministic. A service does roughly the same thing today that it did yesterday. You can reason about its behavior, define what it’s allowed to touch, and trust that a valid credential maps to expected actions.
AI agents don’t work that way. Continue reading
Introducing the Cloudflare One stack: agent-powered deployment
Adopting or migrating to a Zero Trust network architecture can be a daunting task. Before a single policy changes, teams have to recall how their network is actually built: which applications exist, their authentication and authorization constructs, how traffic flows between them, and any assumptions the current architecture makes. This hands-on process requires practitioners to decode the intent behind every security and routing policy in place.
Today, we’re releasing the Cloudflare One stack, a set of skills you give to your agent to configure, deploy, and manage your Zero Trust environment for you. This toolkit is designed to help automate the process of learning an entirely new security suite and mapping your existing one into Cloudflare.
Cloudflare has worked with thousands of customers through exactly this process. That repetition built expertise on where migrations stall, what questions come up every time, and what it takes to move forward. The Cloudflare One stack packages that expertise and makes it more accessible than ever.
Teams are already using agents to write code, triage alerts, and automate workflows. Organizations are increasingly asking for Cloudflare-provided tooling to help agents execute on security workflows. On their own, agents Continue reading
Menjelajahi Telc Republik Ceko: Wisata Sejarah dan Arsitektur Klasik
Kota Telc, yang berada di Republik Ceko, adalah permata tersembunyi yang wajib dikunjungi bagi para pecinta wisata sejarah dan arsitektur klasik. Kota kecil ini terkenal dengan alun-alun utama yang menawan, yang memadukan keindahan Renaisans dan gaya Barok yang unik. Artikel ini akan membawa Anda menelusuri keindahan Telc dan daya tarik utama yang membuatnya menjadi destinasi menarik.
Sekilas Tentang Telc, Republik Ceko
Telc merupakan sebuah kota kecil di wilayah Vysočina, Republik Ceko, yang memiliki sejarah panjang sejak abad ke-14. Kota ini dikenal dengan pusat bersejarahnya yang dipertahankan dengan baik, dengan bangunan-bangunan bergaya Renaisans yang menciptakan suasana klasik dan elegan. Oleh karena itu, Telc menjadi salah satu situs Warisan Dunia UNESCO yang populer bagi wisata sejarah.
Keindahan Alun-Alun Bergaya Renaisans
Fokus utama wisatawan yang berkunjung ke Telc adalah alun-alun kota yang luar biasa indah. Alun-alun tersebut dipenuhi oleh deretan rumah bergaya Renaisans yang warna-warni dan dihiasi dengan panel dekoratif serta ornamen klasic yang menggambarkan keindahan arsitektur klasik.
Ciri Khas Alun-Alun Telc:
- Rencana kota berbentuk persegi panjang yang rapi dan simetris.
- Fasad bangunan berwarna pastel dengan elemen dekoratif khas Renaisans.
- Masing-masing rumah memiliki portal dan jendela yang artistik, memberikan nuansa bersejarah yang autentik.
- Air mancur di tengah alun-alun menjadikan suasana lebih hidup Continue reading
Toe Wrestling: Olahraga Unik dan Kompetisi Tradisional dari Inggris
Dalam dunia olahraga, banyak jenis aktivitas yang dikenal luas seperti sepak bola, basket, atau renang. Namun, ada juga olahraga unik yang mungkin belum banyak diketahui oleh masyarakat umum, salah satunya adalah toe wrestling. Olahraga ini menawarkan konsep kompetisi yang berbeda dan penuh keunikan. Yuk, kita mengenal lebih jauh tentang toe wrestling, sebuah kompetisi tradisional yang berasal dari budaya Inggris.
Apa Itu Toe Wrestling?
Toe wrestling adalah sebuah olahraga di mana dua peserta bertanding dengan mengaitkan jari kaki mereka, lalu berusaha menjatuhkan lawan dengan teknik tertentu. Mirip dengan wrestling atau gulat biasa, namun bedanya di sini yang digunakan adalah jari kaki, bukan tangan.
Olahraga unik ini biasanya dilakukan dengan kaki telanjang, dan para peserta berjuang untuk “menundukkan” kaki lawan di atas arena kecil yang telah disediakan. Sportsmanship dan strategi dalam flipping atau mengunci jari kaki menjadi kunci keberhasilan dalam kompetisi ini.
Asal Usul dan Sejarah Toe Wrestling
Toe wrestling bermula di Inggris pada tahun 1976, di sebuah kota kecil bernama Staffordshire. Olahraga ini awalnya dibuat sebagai hiburan di sebuah pub lokal, kemudian berkembang menjadi acara tahunan yang menarik banyak peserta dan penonton dari berbagai daerah.
Seiring waktu, toe wrestling menjadi bagian dari kompetisi tradisional yang dicintai banyak orang dan tetap dipertahankan Continue reading
ARP with Anycast Gateways in EVPN Asymmetric IRB
In previous blog posts, I described the ARP issues in EVPN environments, starting with centralized routing, and then asymmetric IRB with unicast (per-leaf-switch) first-hop gateways. Of course, no self-respecting vendor would tell you to do that; anycast gateways are all the rage these days.
As always, anycast gateways could mean different things, depending on which vendor documentation you read ;)
- Active-active VRRP (one device is the active VRRP gateway, but all devices listen to the VRRP MAC address).
- Shared MAC+IP address beside device-specific unicast MAC and IP addresses.
- Shared MAC+IP address with no PE-specific IP address.
Chapter 1: SONiC Fundamentals
Introduction
SONiC (Software for Open Networking in the Cloud) is a Linux-based open-source network operating system that was originally developed at Microsoft and is now maintained by a broader open-source community. Its core idea is that the same network operating system can run on switch platforms from multiple hardware vendors. This reduces vendor lock-in and provides a more consistent operational model across different environments.
SONiC can also be viewed as an abstraction layer between network operators and the underlying switch hardware. Instead of learning and managing several vendor-specific operating systems, operators can use a common software architecture and management model across different switch platforms. This simplifies network operations, automation, monitoring, and telemetry collection. It can also reduce operational errors caused by configuration differences between platforms and make it easier to onboard new engineers.
Organizations can choose the hardware platform that best meets their technical, operational, and business requirements without being tied to a single software ecosystem. Some vendors provide commercially supported SONiC distributions together with professional support services, while others support community-based deployments or customer-tailored implementations. The appropriate model depends on the organization's operational requirements and support expectations.
From an architectural perspective, SONiC is a modular and container-based system. Major Continue reading